06.3 HHS PIA Summary for Posting (Form) / NIH CC 4D Mac Platform
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC 4D Mac Platform
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin, 301-496-4240
10. Provide an overview of the system: CC 4D Mac Platform is comprised of multiple separate
applications using a software suite called 4D. 4D is an integrated development platform - a
single product comprised of the components needed to create and distribute professional
applications. The CC has 3 systems developed on the 4D Mac Platform that are included in the
boundary of this GSS. The CC systems are NIH CC Protocol Tracking (PROTRAK), NIH CC
Medicolegal Request Tracking System (MRT) and NIH CC Medical Staff Credentialing
Processes (SACRED.) The systems support administrative functions of the Clinical Center.
Details about the individual systems listed are available in the system's Privacy Impact
Assessment.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This is a GSS for the 4D
Mac Platform and does not collect, maintain or disseminate PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable - No PII is collected, stored or
processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII is collected, stored or processed.
Details on the administrative, technical, and physical controls are not required for the CC 4D
Mac Platform GSS. The controls for applications that do collect, store or process PII within the
boundaries of the 4D Mac Platform are covered by separate system Privacy Impact Assessments
(PIA).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel
Voucher Application [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Admissions and Travel Voucher Application
(ATV)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: This is an ancillary application which works with the
CRIS system allowing research teams to register new patients, submit admission requests, update
patient demographics and submit travel requistions and payments.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Shares reports containing patient names, demographics and travel dates with Omega travel
agents so that travel arrangements can be made. Additionally shares reports containing patient
names, demographics and travel requests with Chief of Ambulatory Care Services to approve
reimbursement of travel expenses. Information sharing is in accordance with SORN 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d,
285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a,
289c, and 44 U.S.C. 3101.) The information collected is name, date of birth, social security
number, mailing address, phone number and medical record number. This information is used to
register individuals as participitants in clinical trials and to assist in providing travel
arrangements for those individuals and provide reimbursement. Information is disclosed to
travel agents to assist in making the necessary travel arangements. Information submission is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The CC Information Practices Notice is provided to
each patient when initially registered and admitted to the Clinical Center. Each patient would be
advised at the time of admission about major system changes and the CC Information Practices
Notice would be revised and provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical and physical security controls. The system is physically
located behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance
around the clock. Additionally, the system is behind the NIH, CC and CRIS firewalls. Access to
PII and privileges are based on user's assigned roles. Authentication with NIH PIVcard will
occur at the time of login to the NIH network via CC CASPER for remote users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Medication
Dispensing (Omnicell)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/3/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3097-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Automated Medication Dispensing
(Omnicell)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The system automates the Pharmacy Dept's ability to
manage and dispense medications at the point of use, increasing patient safety with the use of
medication profiles, improving workflow efficiency and enhancing medication security.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system captures and
maintains information on registered CC patients including patient name, Date of Birth, MRN,
gender, allergies, medication order number, visit number and administration instructions. The
system captures and maintains information on CC caregivers including staff name, user role and
fingerprint biometric identifier. The information is shared with Omnicell administrators in
Pharmacy, CC Nurse Managers responsible for the investigation of dispensing cabinet diversion
reports. The collection of PII is voluntary since admission to the CC and specific research
protocol(s) is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center (CC) is completely
voluntary and requires consent of each patient. Additionally, each patient is provided a full
written accounting of established information practices at the CC, including the capture and use
of PII, and has the opportunity to ask questions. Each patient must acknowledge receipt of same
through manual signature on the CC Information Practices Notice Form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII will reside on a server in the CC
DataCenter protected by restricted access and video closed circuit TV. The server will be behind
the NIH and CC clinical firewall. The Omnicell SecureVault PC and stand alone PC in the
Pharmacy Dept are protected by restricted access and video monitoring. The Omnicell
automated medication dispensing cabinets are on the medical VLAN and located in the Nursing
Units behind locked doors with access restricted by Staff ID badge or key. Access to the
dispensing cabinets is granted by user type and is set by the Pharmacy Dept Omnicell
Administrator in accordance with Pharmacy policies. Access to the dispensing cabinets will
require password or fingerprint identification and inclusion in specific user types based on the
user role.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff
Office Schedule [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3008-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC ANSOS: Automated Nurse Staff Office
Schedule
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Barbara Quinn
10. Provide an overview of the system: The ANSOS System is used to arrange schedules and
project staffing needs for nurses caring for patients at the Clinical Center and is authorized by
Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Includes basic identification
data including name, date of birth, address, phone numbers and related information (CC training
attendance records) necessary to develop schedules for nurses. Submission is condition of
employment as a nurse at the Clinical Center. In addition, inpatient census data by patient care
unit and outpatient census data by outpatient clinic and day hospital is collected to project
utilization and staffing needs across the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual is informed of information practices
upon orientation and subsequently when individual schedules are developed. In addition, the CC
Nursing Department is responsible for notifying each nurse of major system changes related to
PII, which may be done electronically or in written form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized person may have access to
the ANSOS System and the system is protected through door locks and other physical controls,
as well as technical controls including user identification and password protection.
Authentication with NIH PIVcard will occur at time of login to NIH Network via CC CASPER
for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Barcode Enabled
Automated Point of Care Technology (BEAPOCT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH CC Barcode Enabled Automated Point
of Care Technology (BEAPOCT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: BEAPOCT consists of 2 applications with interfaces to
existing hospital and lab systems. SMARTworks Patient Linkup Enterprise (PLUE) system
provides printed barcoded patient wristbands, picture wallet ID cards and labels. CareFusion
utilizes the barcode technology and wireless scanning to identify patients, staff, lab tests,
specimens and blood products while capturing data that is pertinent for safe, accurate and timely
documentation.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected
includes individual patient demographics, medical notes, vital signs at time of transfusion, Donor
ID, photographic images, staff name, role and NED ID. Patient name, DOB, MRN and
photographs enhance positive patient identification processes, thus safety, throughout the NIH
Clinical Center. Donor ID, medical notes and vital signs are collected to document care and
satisfy reporting requirements for blood administration. Staff name, role and NED ID associate
resources with critical clinical tasks performed such as labeling of laboratory specimens and
verification of blood transfusion products. Patient and staff information does contain PII. The
information is submitted voluntarily based on an individual's consent to become a registered
patient at NIH or be employed in the clinical care of CC patients.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from interfaces to existing CC
clinical systems, including the admission, discharge and transfer (ADT) system, Clinical
Research Information System (CRIS) and laboratory information system (LIS), including
SoftBank. Admission and protocol consent forms are signed by each patient and an information
practices notification form is provided to each patient at the time of initial admission. Each
patient would be advised at the time of admission about major system changes and the CC
Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical, physical security and privacy controls. The system is
located on servers in the CC Data Center protected by restricted access and video monitoring.
Access to the application is granted by scanning an authorized user's NED ID. Authorized user's
access and privileges are restricted by assigned user roles. Authentication with NIH PIVcards
will occur at the time of login to the NIH network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Biomedical
Translational Research Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3009-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Biomedical Translational Research
Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Elaine Ayres
10. Provide an overview of the system: BTRIS will provide longitudinal data, text and images
from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis
generation and patient recruitment in support of the NIH intramural research mission. Principal
investigators and designees (e.g. associate investigators), IC Data Extractors and Administrative
Users will be allowed to access identified data only as permitted by their active protocol(s).
Other users with appropriate IRB or OHSR clearances will be able to access and query only data
in a de-identified manner.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII data in BTRIS will only be shared with authorized principal investigators for patients
enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g.
associate investigators, IC Data Extractors and Administrative Users. All others will only be
granted access to de-identified data. Data will be used for statistical analysis, hypothesis
development & testing, quality assurance, clinical comparison and subject recruitment.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Clinical and research data
including diagnostic, therapeutic, imaging, and research testing results will be stored in BTRIS.
PII will be collected and will include names, medical record numbers and diagnosis. PII data in
BTRIS will only be shared with authorized principal investigators for patients enrolled in their
active protocols or others authorized by the appropriate IRB or OHSR e.g. associate
investigators, IC Data Extractors, Administrative Users . All others will only be granted access
to de-identified data. Data will be used for statistical analysis, hypothesis development & testing,
clinical comparison, quality assurance purposes, and subject recruitment. The collection of all
data is voluntary. Every patient must voluntarily execute a protocol consent and admission
consent prior to entry onto an intramural research protocol and treatment at the Clinical Center.
In addition, each patient is provided a formal notification of Information Practices at the Clinical
Center and must certify that they have been so advised.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Every patient must voluntarily execute a protocol
consent and admission consent prior to entry onto an intramural research protocol and treatment
at the Clinical Center. In addition, each patient is provided a formal notification of Information
Practices at the Clinical Center and must certify that they have been so advised. BTRIS will
contain longitudinal data, text and images from NIH intramural clinical care and research
systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the
NIH intramural research mission. Principal investigators and designees (e.g. associate
investigators) will be allowed to access identified data only as permitted by their active
protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and
query only data in a de-identified manner. If a major change occurs, a revised Information
Practices Form will be developed and presented to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The BTRIS system and all data contained
therein are protected using administrative, technical and physical security and privacy controls.
The system is behind locked doors and monitored by closed circuit TV. Access to the physical
system is limited to authorized staff with common access cards. In addition, only principal
investigators or others authorized by an appropriate IRB or OHSR have access to PII in the
application, while all others only have access to de-identified data. Application access is also
restricted based on user roles and password authentication. Authentication with NIH PIVcards
using SiteMinder will occur for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Control
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3007-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0011
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Blood Bank Control System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Boyd Conley
10. Provide an overview of the system: The systems contains data regarding donors at the
Department of Transfusion Medicine used to conduct clinical care and research at the Clinical
Center as authorized by Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information, including past
donations, blood types, phenotypes, lab results, serologic reactions and related information, is
collected from donors of blood and blood components to be used for clinical care and research at
the Clinical Center. Submission is mandatory since donations must be directly attributable to
each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual donor is informed of required
information collection and uses before donation. Major systems changes would be sent directly
to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized persons may have access
and the system is protected through door locks and other physical controls, as well as technical
controls including user identification and password protection. Fingerprint recognition access
controls are in place at the alternate location site in Bldg 12.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC 3M Medical
Record Processing System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Automated Medical Record Processing and
Tracking Applications
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: Automated medical record processing and tracking
applications containing demographic and tracking information is maintained on registered
Clinical Center patients in order to route documents for creation, recording, retention, signature
and location.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
None
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information is collected to
identify and route clinical documentation electronically for user review and confirmation. Patient
and clinician demographic information, along with clinical documentation identifiers and
location information. The information is voluntarily provided at the time of dictation or
authorship and each patient is informed of CC information practices before admission as a
patient at the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The automated medical record processing and tracking
applications are a part of the medical record system which is an approved Privacy Act System.
As such, each individual is informed of all information practices and any major system changes
are published under a revised SORN.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All information is protected by applying
user ID, hierarchical passwords and administrative controls including supervisor limiting
employee access on a need-to-know and minimum amount basis. Authentication with NIH
PIVcards will occur at time of login to NIH Network via CC CASPER for remote application
users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Clinical Research
Volunteer Program [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/9/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0012
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Clinical Research Volunteer Program
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: System is used to contain information about potential
candidates for participation as volunteers or research subjects participating in clinical research
protocols at the Clinical Center.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012,
published in the Federal Register, Volume 67, No. 187, September 26, 2002. Clinical research
volunteers data is made available to approved or collaborating intramural researchers.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Demographics and health
information are collected from program applications, health questionnaires and records of prior
participation to provide appropriate persons as volunteers or research subjects in approved
research protocols conducted at the Clinical Center. Submission is voluntary if applicant wants to
be referred as a potential research subject. Information is also used to process requests for
compensation and authorization of payments to research volunteers. Checks are issued by the
Treasury Department.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each person is verbally informed of information uses
and verbal consent is obtained from each person who wishes to be evaluated as a potential
research subject. Each individual is informed of information collection and uses prior to referral
as a volunteer or patient. Each applicant would be notified directly by phone of any major
system changes and new consent would be obtained.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: As per standard CIT procedures for the
collection, maintenance and destruction of computer files, as well as specified in the PA Systems
Notice. Authentication will occur at time of login to NIH Network via CC CASPER for remote
application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240 - [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Executive
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/25/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): CC Executive Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Executive Information System (EIS) is an
application designed to provide real time reporting of key hospital performance indicators. The
EIS provides query and reporting capabilities for executive decision makers, and allows staff to
view daily, monthly, annual patient census information and key hospital performance metrics.
Census data can be reported by hospital unit and protocol, IC, branch, and Principal Investigator
name associated with protocol activity.
EIS reports (does not collect) census statistics and resource utilization. Metrics include
admissions, inpatient days, outpatient visits, average length of stay, discharges, patient counts
and volume and cost of services provided. The information is used by nursing staff, clinical
departments and institutes to manage operations and by executive leadership to track trends in
hospital census activity and resource utilization.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EIS reports (does not
collect) census statistics. Metrics include admissions, inpatient days, outpatient visits, average
length of stay, discharges, and patient counts. The information is used by nursing and clinical
departments to manage operations and is used by executive leadership to track trends in hospital
census activity. Principle investigator name (federal employee PII) associated with protocol
activity is reported. CC social workers name collected from scheduling system is also reported
in EIS system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Principle investigators provide name at the time they
apply for protocol approval from their IRB, which is required for protocol review and
administrative approval. If any information other than principle investigator names are collected,
then notification will be sent out from OMAR to each individual. CC social workers provide
name when they confirm the outpatient appointment in the scheduling.com application. If any
information other than CC social workers name are collected, then notification will be sent out
from OMAR to each individual.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII is secured using user names/passwords,
least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access
to NIH campus and background investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC IT Infrastructure
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): CC IT Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The CC IT Infrastructure ( CC ITI) is a GSS that
supports approximately 4,500 users within the NIH Clinical Center, and is located in Bldg 10-
CRC on the NIH campus in Bethesda, Maryland. The CC ITI hosts a myriad of servers,
components, workstations, network and infrastructure devices uses to manage the NIH
information. The Department of Clinical Research Informatics (DCRI) is responsible for the
management of the CC ITI. The CC ITI comprises a variety of servers including network
servers, application servers, Web and Internet Servers. While many applications with PII reside
on servers in the CC ITI, the CC ITI provides the infrastructure to support those applications.
The collection, storage and processing of PII for those applications will be covered by separate
system Privacy Impact Assessments (PIA) , not by the CC ITI PIA
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII collected, stored or processed by applications in the CC ITI are covered by separate Privacy
Impact Assessments; not by the CC ITI PIA.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This is a GSS for the IT
infrastructure and does not collect, maintain or disseminate PII. No PII is collected, stored or
processed. Private shares on the CC ITI file servers are used by CC personnel for storage of
working documents to facilitate performance of their assigned duties. The information in
working documents does not contain PII per NIH and CC policies.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable - No PII is collected, stored or
processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII is collected, stored or processed.
Details on the administrative, technical, and physical controls are not required for the CC ITI
GSS but have been provided where relevant for server and network access. The controls for
applications that do collect, store or process PII residing in the CC ITI will be covered by
separate system Privacy Impact Assessments (PIA), not the CC ITI PIA.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Protocol Tracking
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Patient & Research Services: Protocol
Tracking
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Protocol Tracking System is used to collect,
maintain and report administrative data about intramural research protocols under authority of
Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NIH Employees for protocol approval, control and reporting. System provides data feed to new
NIH NLM website, http://clinicaltrials.gov that includes brief description of protocol and PI
contact information to inform public of available clinical research trials being conducted.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only PII contained in
the Protocol Tracking System are the names of the investigators related to each protocol,
including NIH employees, contractors and other collaborators. The submission of all names are
mandatory when the protocol is submitted to the IRB for approval.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Employees provide names at the time as a part of the
protocol approval process and the names of Government employees are a matter of public
record. There are no plans to add additional PII information at the current time, but the Office
of Protocol Services would provide notification to each investigator if additions were made in the
future.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized person may have access to
the Protocol Tracking System and the system is protected through door locks and other physical
controls, as well as technical controls including user identification and password protection.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Prototype [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/25/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): CC Prototype
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: Custom application providing a Web-based protocol
authoring tool that utilizes a systematic framework to develop and maintain research protocols
throughout their lifecycle. The application utilizes templates and language specified by the IC
Institutional Review Board (IRB). Users include Primary Investigators (PI), Associate
Investigators (AI) and IC reveiwers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected
includes protocol documents, protocol workflows, status of protocol review, user's name, user's
contact information and user's IC. The information is utilized to support authoring, reviewing
and management of a protocol from cradle to grave. The system includes PII about the Primary
Investigator and Associate Investigator. The submission of federal contact information is
voluntary for IC staff who choose to use the protocol authorizing system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Release Notes describing system changes are
electronically distributed to the registered users accessing the CC Prototype system with each
version upgrade. The Release Notes provides notice of changes made during upgrades to add/
modify data fields and add/modify data flow and add new features and functionality. The PII
collected about users is limited, i.e., name, federal contact address, federal contact phone
number, personal email and organization. The PII is collected from the user at the time a new
account is created. The user may update the address, phone number and email at any time. The
information is used to identify the authors and reviewers associated with protocols during the
protocol development and approval phase. The information is not shared with other systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical, physical security and privacy controls. The system is
located behind locked doors, monitored on CC TV and requires key card access for admission to
the CC Data Center. In addition only authorized user may access the system based on user roles
and passwords.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC CC Visual Supply
Catalog [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): Visual Supply Catalog
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin, CC Privacy Officer
10. Provide an overview of the system: The Visual Supply Catalog is a web-based application
that displays photographs of indiviudal medical-surgical items, along with pertinent ordering
information. The VSC was formulated using the electronic "shopping cart" concept typically
used for on-line ordering and supports ordering by medical staff members supplies for use by
Clinical Center patients.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The PII collected will
include patient name, medical record number, address and phone number. These data are
necessary to assure that medical-surgical supplies ordered are accurately filled and mailed to the
proper patient. Admission to the Clinical Center is entirely voluntary and each patient is advised
of the Clinical Center information management practices in writing at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center is entirely voluntary
and each patient is advised of the Clinical Center information management practices in writing at
the time of admission.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to the system is controlled through
the use of user IDs, passwords and access levels. Authentication with NIH PIVcards will occur
at the time of login to the NIH network via CC CASPER for remote application users. The
servers are located in a controlled environment of the DCRI Data Center and physical controls
include locked doors, key card access, cameras, etc.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Citrix Netscaler
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH CC CITRIX Netscaler
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Clinical Center (CC) CITRIX Netscaler system is
used as a FIPS compliant secure authentication portal for the CC CITRIX published applications.
It is a hardened appliance that requires LDAP or Smartcard authentication in order to access
applications published in the CC CITRIX farm. It is a high availability network load balancer
and is used to limit outages due to server maintenance and problem resolution.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No PII is collected, stored or
processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable - No PII is collected, stored or
processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII is collected, stored or processed by
the CC CITRIX Netscaler system. The CITRIX farm servers are protected using administrative,
technical and physical security controls. The system is located behind locked doors, monitored
by closed circuit TV and requires key card access for admission to the CC Data Center.
Biometric authentication is required for admission to the high availability location in Bldg. 12
Customer Service Area. The system will enforce two factor authentication at the time of login to
the NIH network via CC CASPER for remote users accessing applications published in the CC
CITRIX farm.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-3006-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): CC-1
7. System Name (Align with system Item name): Clinical Research Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Jon McKeeby
10. Provide an overview of the system: Core system and component applications to document
clinical care and research for registered patients at the Clinical Research Center: NIH. This
activity is authorized by Section 301 of the Public Health and Safety Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory
Medicine at the CC.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected
includes individual patient demographics, confirmed appointments, clinical research data and
those related to diagnosis and treatment at the Clinical Center. These may include results of
laboratory tests, imaging studies, blood product utilization, social work encounters, medical &
ethical consults, surgery and other related clinical interactions while a patient at the Clinical
Center. Patient information collected by the NIH as described in the NIH System of Records
09-25-0099 is utilized as the official clinical research record for each research participant. The
information contains PII and the submission is voluntary based on an individual's consent to
become a registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from patient interviews,
referring physicians, a datafeed from the hospital scheduling system, a multi-disciplinary care
team, and diagnostic, therapeutic, and research results. Admission and protocol consent forms
are signed by each patient and an information practices notification form is provided to each
patient a the time of initial admission. Each patient would be advised at the time of admission
about major system changes and the CC Information Practices Notice would be revised and
provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical, and physical security controls. System components are
located behind locked doors, monitored by CC TV and Systems Monitoring staff in attendance
around the clock. Additionally, the system is behind the NIH, CC and CRIS firewalls. Access to
PII and privileges are based on user's assigned roles. Authentication with NIH PIVcards will
occur at time of login to the NIH Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research
Student Records System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/18/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC Clinical Research Student Records
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bob Lembo (301)-496-2636
10. Provide an overview of the system: This collection of administrative systems tracks
applications from healthcare researchers, providers and administrators in training to the NIH
Clinical Center Office of Clinical Research Training and Medical Education's undergraduate and
graduate medical education programs, including the Clinical Electives Program (CEP), the
Resident Electives Program (REP), Clinical Research Training Program (CRTP), Sabbatical
Program and to selected Graduate Medical Education (GME) programs sponsored by various
Institutes and Centers within the NIH. Two third-party web applications under the direction of
the the Executive Director for Graduate Medical Education provide online course registration
functionality for NIH training programs and conduct Alumni tracking surveys for graduates of
the NIH training programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The PII information
collected includes name, personal mailing address, personal phone number, personal email
address and educational records. The information is not disseminated and is used to process
applicants for training programs sponsored by various Institutes and Centers within the NIH.
The information is submitted voluntarily by medical/dental students or physicians and is
collected to determine the suitability of applicants for NIH clinical research training programs.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no current process to notify individuals when a
major change occurs. Individuals are notified by email communications and electronic notice
that submission of information is voluntary and how it will be used.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The electronic versions are password
protected. Access to hard copies have physical controls in place and require administrative
requests and access. The system resides in the CC Data Center where it is protected by locks,
video monitoring and controlled access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, NIH/CC/DCRI, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC DTM SQL System
Applications
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0011
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CC DTM Applications Non-COTS (DANC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Boyd Conley
10. Provide an overview of the system: The DTM Applications Non-Cots (DANC) provides
the Department of Transfusion Medicine (DTM) with administrative reporting functionality for
donors and research management. The system provides DTM staff with tools to make decisions
about the collection, use and distribution of donated blood.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The DANC system will
collect demographic information, medical notes, travel history and laboratory results on donors
and NIH research participants. The information is used by DTM staff to perform routine tasks
required by the American Association of Blood Banks and the FDA and support CC research
protocols. The system will collect PII on donors and NIH research participants. The submission
is mandatory since donations must be directly attributable to each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual donor is informed of required
information collection and uses before donation. Major systems changes would be sent directly
to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized persons with assigned roles
may have access to the system. The DANC system is protected in the CC Data Center through
door locks and other physical controls. Access to DANC is secured by technical controls;
including user identification and password protection.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC EKG System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC EKG System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dennis Brown
10. Provide an overview of the system: The TraceMasterVue ECG management system
automates ECG data acquired from EKG machines and provides viewing, editing, resulting and
report management functionality to the EKG technician and cardiologist users working in the
EKG Dept. ORDERLINK is a bi-directional interface for ADT/orders that interfaces with the
hospital clinical information system known as Clinical Research Information System (CRIS
Sunrise). After verification by the cardiologists, test results and reports from TraceMasterVue
are sent to CRIS Sunrise.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects,
maintains and disseminates electrocardiogram (ECG) tracings and reports on CC patients for the
purpose of diagnosis and treatment of underlying heart conditions while enrolled in NIH
intramural protocols. The ECG reports contain PII, which includes patient name, date of birth,
medical record number, medical notes, Order ID and name of cardiologist reviewing transmitted
ECG tracings. The submission is voluntary based on an individual's consent to become a
registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from patient interviews,
medical orders, and EKG machines when the diagnostic ECG test is performed at the CC.
Admission and protocol consent forms are signed by each patient. CC Information Practices
Notification is provided to each patient at the time of initial admission to the CC. If there is a
major system change, each patient would be advised at the time of subsequent admissions and a
revised CC Information Practies Notification would be provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The EKG system hardware and software
employ administrative, technical and physical controls to protect patient's PII and sensitive data.
The TraceMasterVue and ORDERLINK servers are located in locked areas of the CC. System
administrators must have physical keys and/or cardkeys to work on servers in these secure
locations. Data is backed up nightly and stored offsite. Application access requires a user ID
and password. All PII is logically located behind multiple firewalls for increased protection.
Authentication with NIH PIVcard will occur at time of login to CC Network via CC CASPER
for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301)-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC eSphere System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC eSphere System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The CC eSphere System is used by the CC Pain and
Palliative Care department clinical staff to document and report the results of pain consults
performed on CC patients. The eSphere application receives Admissions, Discharge and
Transfer (ADT), consult orders, medication orders and allergy information from CRIS Sunrise
via interface. Additionally, the eSphere application sends the completed consult report to CRIS
Sunrise via interface so it becomes part of the patient's electronic medical record.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected,
maintained and disseminated to CRIS Sunrise by the eSphere application does include PII. The
information includes name, date of birth, medical record and medical notes such as medications
and allergies on CC patients. Information is collected for the purpose of diagnosis and treatment
by the CC Pain and Palliative Care department clinical staff. The information is submitted
voluntarily based on the individual's consent to become a registered patient at NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from patient interviews,
referring physicians and CRIS Sunrise, the electronic medical record for CC patients.
Admission and protocol consents forms are signed by each patient and the CC Information
Practices Notifice form is signed by each patient at the time of their initial admission. Each
patient would be advised at the time of admission about major system changes and the CC
Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical and physical controls. The servers and application are
physically located in the CC Data Center with access limited to authorized CC IT staff. The
information is logically located behind multiple firewalls. User access and privileges in the
application are based on their assigned roles in the application. Access to the application is
controlled by Citrix technology and encryption is employed. Authentication with NIH PIVcards
will occur at the time of login to the NIH network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Histotrac
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC Histotrac
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: CC Histotrac is a laboratory software application that
tracks the results of human leukocyte antigen (HLA) performed on blood samples from CC
patients and potential donors. The Histotrac system provides a single database to track the status
of samples received and tested at the CC, query results for CC patients and donors, and provides
a reporting functionality for the Department of Transfusion Medicine (DTM) clinicians and
leadership team. The system is utilized by DTM staff to support the intramural transplant
programs operated by NHLBI and NCI.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Limited PII is shared with the NIH intramural research transplant program staff from NHLBI
and NCI for the purposes of clinical care and research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The system collects,
maintains and disseminates blood types, HLA testing results, and related medical information
collected from donors and potential transplant recipients. (2) The information is required by the
DTM staff and intramural research team to make clinical decisions regarding potential
transplantation. (3) The information contains PII, including name, date of birth, medical record
number and medical notes. (4) Submission is mandatory since donations must be directly
attributable to each donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual donor is informed of required
information collection and uses before donation. Major system changes would be sent directly to
each donor and new consents obtained upon new donations. The information will be used to
make clinical decisions regarding potential transplantation of CC patients.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized persons with assigned roles
may have access to the system. The Histotrac system is protected in the CC Data Center through
door locks and other physical controls. Access to Histotrac is secured by technical controls;
including user identification and password protection.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Hospital Materials
Management System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CC Hospital Materials Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: CC Hospital Materials Management System also know
as Lawson is an Inventory Management System. Everything that is bought, received, stored,
transferred, issued, or disposed of is recorded and controlled. The program is a live inventory
instantaneously recording any supply activity that is entered in the system. It makes daily
recommendations for both replenishing the Central Hospital Supply shelves from the Storage &
Distribution Warehouse; as well as provides reorder for supplies that have fallen below their "par
levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the
best "picture" and information on medical supplies. Finally, it is a tracking system for receiving
supply orders that is used by Materials Management Dept staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CC Hospital Materials
Management System also known as Lawson is a supply/inventory software that stores CC
customer (patient care unit names, Clinic names, ancillary dept. names, not PII) and product
information. The information stored is a history of purchases, receipts, issues, transfers etc. of
supplies purchased and equipment purchased by the Materials Management Department and
consumed by the CC customer locations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This is an inventory management system - No PII is
collected or maintained
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This is an inventory management system -
no PII is collected or maintained. Authentication with NIH PIVcards will occur at the time of
login to the CC network via CC CASPER fore remot application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: smartin@cc.nih.gov
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Investigational Drug
Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/3/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CC Investigational Drug Management
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The CC Investigational Drug Management System
(IDMS) is used by the Pharmacy Dept. to create, manage and store data related to investigational
drugs used in the Clinical Center. The Pharmaceutical Development Section (PDS) provides
investigational drug services for IRB approved intramural research protocols. IDMS provides
PDS with the ability to track the inventory of the investigational drugs and the raw materials
used to make the drugs. The system also provides the ability to fill prescriptions from the
inventory of investigational drugs tracked by IDMS. Additionally, it provides Protocol/Study
tracking capability.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The IDMS system receives patient and prescription order data from CRIS Sunrise, the CC
hospital information system. There are no external systems that share or disclose data with
IDMS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects,
maintains and disseminates IDMS data about CC patients for the purpose of filling prescriptions
and tracking the use of investigational drug administration on IRB approved protocols. The
IDMS reports contain PII, which includes patient name, medical record number, patient study
number, prescribing physician name, protocol name, and protocol number. The submission is
voluntary based on an individual's consent to become a registered patient at NIH and enroll in an
intramural research protocol.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII information is collected in CRIS Sunrise.
Admission and protocol consent forms are signed by each patient. CC Information Practices
Notification is provided to each patient at the time of initial admission to the CC. If there is a
major system change, each patient would be advised at the time of subsequent admissions and a
revised CC Information Practices Notification would be provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IDMS system employs administrative,
technical and physical controls to protect PII and sensitive data. The servers are located in the
CC Data Center, behind locked doors and monitored 24/7 by DCRI Systems Operations team.
Data is backed up nightly and stored offsite. User authentication is based on NIH Active
Directory. Access and privileges in IDMS are determined by the user's assigned role. All PII is
logically located behind multiple firewalls for increased protection. Authentication with NIH
PIVcard will occur at time of login to CC Network via CC CASPER for remote application
users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Laboratory
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Laboratory Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The LIS is an automated system designed to track,
report and maintain results for laboratory tests performed on Clinical Center patients. Results
comprise part of the official patient medical record.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The LIS captures laboratory results for specific Clinical Center patients and shares those results
along with identifying PII with caregivers and scientists at the Clinical Center.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The LIS contains
information regarding the entry of specific orders to complete various lab tests ordered on
Clinical Center patients, along with the results of those tests and the PII required to identify the
specific patients to which those orders, tests and results apply. PII collected includes names,
identifying numbers, and other demographics. Information is shared with caregivers and
scientists with authorized access in order to provide clinical care or conduct approved medical
research. Admission to the Clinical Center is completely voluntary and each patient is advised of
Clinical Center information practices at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center is completely
voluntary and each patient is advised of Clinical Center information practices at the time of
admission. In addition, each patient signs an informed consent at the time of each admission. All
notifications and consents are done in hard copy.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All data is maintained in digital form and
can only be accessed by NIH employees who have been authorized to do so by virtue of their
need to know, need to deliver clinical care or conduct biomedical research. Access is controlled
by role and password. The system servers etc are maintained in a controlled-access data center.
Authentication with the NIH PIVcard will occur at the time of login to NIH Network via
CCCASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff
Credentialing System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0169
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Medical Staff Credentialing Processes
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: Information is collected from individual members of
the Clinical Center Medical Staff and is used to document their credentialing and privileging
under authority of Section 301 of the Public Health Service Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is shared with private medical facilities, state medical boards and accrediting bodies
as part of the credentialing process for medical staff. Read only view of Credentialing Process
application is available on defined workstations in Special Procedures Dept, Surgical Services
Dept and Admissions Dept allowing the call team to view the medical privileges of medical
consultants at night, weekends and holidays when Credentialing Offices are closed. Names and
email address of medical staff applying for privileges to practice at the CC is sent by nightly feed
to Prescriber Training database to support remote on-line CRIS training. Requests for
information about former medical staff applying for credentials at other hospitals is shared upon
receipt of a signed Release of Information form by the former staff.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Names, addresses, phone
numbers, medical licenses, college information and related data as part of the individual's
application for membership on the Clinical Center Medical Staff. Information does contain PII.
Electronic signature is collected/stored in the system for utilization with Electronic Signature
Authentication module of Medical Records Department 3M system and electronic prescription
writing functionality in CRIS. Submission is voluntary since application for membership to the
medical staff is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained directly from each applicant
and each is informed about information collection procedures and rules when each applicant
signs the consent authorizing the collection. Major systems changes would be sent electronically
to each member of the medical staff and new consents obtained at the time of reappointment to
the staff.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical and physical security controls. System is located
behind locked doors, monitored by CCTV and Systems Monitoring staff in attendance around
the clock. Additionally, the system is behind the NIH, CC and CRIS firewalls. Access to PII
and privileges are based on user's assigned role.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request
Tracking [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Medicolegal Request Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Medicolegal Request Tracking System is used to
receive requests for and track copies of medical record documentation sent out by the Medical
Record Department to Clinical Center patients and the third parties they authorize to receive such
information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099,
published in the Federal Register, Volume 67, No 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects patient
names, addresses, type of documentation requested for release, as well as the name and addresses
of the person/organization to which the documentation is to be sent and the dates of receipt and
release. Information is voluntary since release requests are also voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual patient is informed of CC information
practices before they are accepted as patients. In addition, each patient must provide a written
release before information if sent out for any other purpose. The Medical Record Department
would be responsible for revising release request authorization and information practices forms if
any major system changes take place.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is maintained under controlled
physical access and user identification as well as passwords are in effect for all users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Metabolic Kitchen
Nutrition System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH CC Metabolic Kitchen Nutrition
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The NIH CC Metabolic Kitchen Nutrition System
(also known as ProNutra application) is used within the CC Nutrition Department to maintain a
database of nutrient information on foods used in research diets, to calculate research diets for
patients on specific protocols, and to produce food labels and menus for these research diets.
Records are stored linking patient name to research protocol and date that meals were served to
the patient. These records contain information on what foods were eaten, and quantities
consumed.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not automatically disclose PII, but manual queries containing patient name,
DOB and protocol number are provided to the research team.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Patient name and date of
birth are the only PII collected. This information is used to identify patients in the system and
for delivery of meals for research purposes. This information is retrieved from CRIS, the clinical
research information system, by CC Nutrition Dept registered dieticians and manually entered
into the CC Metabolic Kitchen Nutrition System. The submission of personal information is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients are advised about the information collection
practices and uses of their data for purposes of clinical research at the time of admission to the
CC. Patients agree to the collection of PII in clinical research systems and acknowledge their
consent by signing the CC Information Practices Notice. Patients would be advised about major
system changes affecting PII by a revision to the CC Information Practices Notice that would be
presented for review and acknowledgement at the time of their next admission to the hospital.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The CC Nutrition Dept staff with access to
the CC Metabolic Kitchen Nutrition System are required to complete NIH Computer Security
and Privacy Awareness Training. Access to the system is controlled by user ID and password.
The system is located in the CC Data Center behind locked doors. Individual workstations from
which the CC Metabolic Kitchen Nutrition System may be accessed are located in the CC
Nutrition Dept. Access to the CC Nutrition Dept is protected by card key readers.
Authentication with NIH PIVcards will occur at the time of login to the CC network via CC
CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Office, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC NMD Server Room
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC NMD Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Charles Fraser
10. Provide an overview of the system: The Positron Emission Tomography (PET) IT
Infrastructure (formerly NIH CC Nuclear Medicine Server Room) is a GSS located in Bldg 10 in
the CC PET Department. The PET IT Infrastructure hosts a myriad of servers, 4 PET scanners,
imaging workstations, network and infrastructure devices used to support the PET imaging
studies at the Clinical Center. The PET IT staff is responsible for the management of the PET IT
Infrastructure. Whie some applications associated with PET Scanners with PII reside on servers
and workstations in the PET IT Infrastructure, details regarding the collection, storage and
processing of PII for those applications will be covered by separate system Privacy Impact
Assessments (PIA).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII collected, stored or processed by PET scanners in the CC NMD Server Room are covered by
separate Privacy Impact Assessments; not by the PET IT Infrastructure PIA
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This is a GSS for the IT
infrastructure and does not collect, maintain or disseminate PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable - No PII is collected, stored or
processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII is collected, stored or processed.
Details on the administrative, technical, and physical controls are not required for the PET IT
Infrastructure GSS. The controls for application that do collect, store or process PII residing in
the PET IT Infrastructure will be covered by separate system Privacy Impact Assessments (PIA),
not the PET IT Infrastructure.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301)-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Nutrition Department
Research System (NDRS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC Nutrition Department Research
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The CC Nutrition Department Research System (also
known as Nutrition Department System for Research (NDSR)) is a dietary analysis program
designed for the collection and analyses of 24-hour dietary recalls and the analysis of food
records, menus, and recipes. Calculation of nutrients occur immediately providing data by
ingredient, food, meal and day in both report and analysis file formats. The application includes
a dietary supplement assessment module so that nutrient intake from both food and supplement
sources may be captured and quantified for patients enrolled in intramural clinical research
protocols.
NDSR is used to analyze 3-day and 7-day food records from patients enrolled in 8 protocols
(NIDDK, NICHD, NIAID, NHGRI and NCI) coding approximately 150-200 days of food
records each month. The food records are coded by CC Dept of Nutrition Health Technicians
and reviewed by CC Dept of Nutrition registered dieticians.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
includes PII specifically; name, date of birth, and medical record number. The information is
used to track dietary intake of patients enrolled in intramural clinical research protocols from
several Institutes within the NIH. The submission of information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients are advised about information collection
practices and uses of their data for purposes of clinical research at the time of admission to the
CC. Patients agree to the collection of PII in clinical research and acknowledge their consent by
signing the CC Information Practices Notice. Patients would be advised about major system
changes affecting PII by a revision to the CC Information Practices Notice that would be
presented for review and acknowledgment at the time of their next admission to the hospital.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All staff are required to take NIH
Information Security and NIH Privacy Awareness training. All application hardware is located
in the CC Data Center behind locked doors. Individual workstations where data input occurs are
located behind key card controlled locked doors in the CC Dept of Nutrition. Authentication
with NIH PIVcards will occur at the time of login to the CC network via CC CASPER for
remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, NIH/CC/DCRI, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Nutrition System
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Nutrition System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The CC Nutrition System consists of two major
components; the Food Service Suite (FSS) and the Nutrition Service Suite (NSS). FSS is used to
track information regarding recipes, nutritional values, stock inventory, and vendor information.
NSS uses the recipe and nutrition information to determine which foods are appropriate for
patients based upon their diets as entered into the CRIS. This determination is then used by
employees in the room service call center to assist patients in selecting appropriate food items.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The Nutrition System receives PII from CRIS through a unidirectional interface. The Nutrition
System doesn't share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Demographic and clinical
information is provided through an interface with CRIS to identify the patient, caregivers,
clinical information, etc. No additional PII is collected other than that provided by CRIS. The
information is used to screen out menu items not appropriate for patients based on physician
orders and to identify appropriate items. Patients sign consents when admitted to the CC and
admission is entirely voluntary. In addition, each patient is advised of the specific uses of
information at the CC and signs an acknowlegement thereof.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII is collected from CRIS. Each patient would be
advised at the time of admission about major system changes and the CC Information Practices
Notice would be revised and provided to each patient upon the next admission.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical, physical and privacy controls. All staff with access are
required to take Computer Security and Privacy Awareness Training. Access and privileges
utilize role-based security and NIH credentials. All hardware is located in the CC Data Center
behind locked doors and individual workstations are also kept behind locked doors.
Authentication with NIH PIVcards will occur at the time of login to the CC network via CC
CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin:CC Privacy Office, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC OPUS Respiratory
Information System (OPUS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC OPUS Respiratory Information System
(OPUS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dennis Brown
10. Provide an overview of the system: The OPUS Respiratory Information System is used by
Critical Care Medicine Dept (CCMD) Respiratory Therapists to document clinical care activities
performed on CC patients. The system provides functionality for clinical documentation, patient
charges, workload productivity reporting and evaluation of the patient's respiratory status. The
system receives patient demographics and medical orders from CRIS Sunrise.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: PII collected in OPUS from
CRIS Sunrise includes patient name, date of birth, medical record number, medical orders, and
protocol number. The information is required to support workflow and documentation by
respiratory therapist on CC patients. The submission is voluntary based on an individuals
consent to become a registered patient at the CC. Additional PII entered in OPUS by the CCMD
Respiratory Therapists include employment status data such as dates of hire, personnel data and
training records. The information is collected to support quality assurance programs and
tracking of staff activities. The submission is mandatory based on a respiratory therapists
acceptance of employment at the CC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) CC Information Practices Notification is provided to
each patient at the time of initial admission to the CC. If there is a major system change, each
patient would be advised at the time of subsequent admissions and a revised CC Information
Practices Notification would be provided to each patient. Respiratory Therapists are notified of
the requirement to collect employment information during department orientation. If there is a
major system change, staff would be advised of the changes through department
communications.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The OPUS system application hardware and
software employ administrative, technical and physical controls to protect patient and staff PII.
The servers are located in locked areas of the CC. The PC Tablets used by Respiratory
Therapists at the bedside utilize VPN technology to secure data on the CC wireless network.
Data is backed up nightly and stored offsite. Application access requires user ID and password.
All PII is logically located behind multiple firewalls for increased protection. Authentication
with NIH PIVcard will occur at time of login to CC Network via CC CASPER for remote
application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Outpatient Pharmacy
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/3/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Outpatient Pharmacy
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Outpatient Pharmacy system is a closed loop
system that supports the Clinical Center (CC) Pharmacy Department core functions of filling
medication orders and dispensing medications to NIH intramural patients. The system enhances
the safety and efficiency of take-home medication dispensing functions performed by CC
Pharmacy staff by incorporating bar-code scanning and visual identification of the dispensed
medications. The system further improves efficiency by using a high-throughput dispensing
robot and collating software to identify the location of each prescription in the dispensing
process. The system's report functionality provides accurate inventory control, provides accurate
cost data to facilitate management reports to Pharmacy and CC leadership and will allow more
accurate budget projections.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The CC Outpatient
Pharmacy system will collect and maintain PII on patients that includes full name, date of birth,
personal mailing and email addresses, personal phone number, medical record number, medical
notes and signatures. The CC Outpatient Pharmacy system will store the signature of the
patient/family member picking up prescriptions for controlled substances. The CC Outpatient
Pharmacy system will collect and maintain the full name of Pharmacy Dept staff who verify, fill
and dispense medications to patients. The information will be used for patient care, specifically
to track the medications provided to patients for administration at home. The information will
also be used by CC Pharmacy to respond to FDA inquiries about recalled medications dispensed
to patients and satisfy DEA reporting requirements about controlled substances dispensed to
patients. The submission of personal information is entirely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center (CC) is completely
voluntary and requires consent of each patient. Additionally, each patient is provided a full
written accounting of established information practices at the CC, including the capture and use
of PII, and has the opportunity to ask questions. Each patient must acknowledge receipt of same
through manual signature on the CC Information Practices Notice Form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII will reside on a server in the CC
DataCenter protected by restricted access and video monitoring. The server will be behind the
NIH and CC firewall and dedicated Outpatient Pharmacy VLANs. The ScriptPro workstations
in the Pharmacy Dept are protected by restricted access and locked doors. Access to the PII in
the ScriptPro application is protected by security screen locks. Access is granted by user type
and is set by the Pharmacy Dept ScriptPro Administrator in accordance with Pharmacy policies.
Access to the PII in the ScriptPro application requires use of the NIH PIV smartcard.
PIA Approval
PIA Reviewer Approval: Demote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 6/6/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC PeriOperative
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH CC Perioperative Information System
(POIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: COTS application providing OR and Anesthesia
specific functions to the Department of Perioperative Medicine (DPM). The functions include:
Scheduling the OR, Anesthesia, IC human resources and material resources for surgical and
anesthesia procedures at the Clinical Center, documentation of clinical and research care
provided to registered patients, inventory management, tracking patients across the perioperative
continuum, integration with CC Clinical Research Information Systems (CRIS) for receipt of
patient demographics, allergies and laboratory test results, integration with patient care monitors
for automated collection of specific vital signs, and reporting to DPM and CC Leadership.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Clinical documentation of perioperative care provided to CC patients which is created in POIS is
shared with CRIS system for storage in the specific patient's official medical record.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected
includes individual patient demographics, scheduling of procedures and associated resources,
clinical research data related to surgical and anesthetic care provided at the Clinical Center.
Patient and staff information becomes part of the official medical record. Information about
medical supplies, devices and medications collected during procedures supports inventory
management for the the Department of Perioperative Medicine. The patient information contains
PII and the submission is voluntary based on an individual's consent to become a registered
patient at the NIH. The staff information contains PII and the submission is mandatory based on
their credentialed status as care providers at the Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from patient interviews, a
multi-disciplinary care team in the Department of Perioperative Medicine and patient
observations. Admission and protocol consent forms are signed by each patient and a CC
information practices notification form is provided to each patient at the time of initial
admission. Consent to Invasive Procedure forms are signed by the patient before each
procedure. Each patient would be advised at the time of admission about major system changes
and the CC Information Practices Notice would be revised and provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system and all contained data are
protected using administrative, technical, physical security and privacy controls. The system is
located behind locked doors, monitored by CC TV and requires key card access for admission to
both the CC Data Center and the Department of Perioperative Medicine. In addition, only
authorized users may access the system based on user roles and hierarchial passwords. User
authentication with NIH PIVcards will occur at the time of login to the NIH network from CC
desktops for local application users. Authentication with NIH PIVcards will occur at the time of
login to the CC network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Picker: Clinical Center
Survey Results
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Required
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH-CC Picker: Clinical Center Survey
Results
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: Information resulting from various surveys and
questionnaires conducted by the Clinical Center from patients and staff regarding quality of care
and hospital operations. The categories of evaluative information varies according to the service
being surveyed and may include data related to the research experience, the clinical services
received, the respondent's level of satisfaction, time of delivery and future plans.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No identified data is shared. Only de-identified aggregate data is shared with CC Administration.
Once individual responses are aggregated, individuals are no longer able to be retrieved by name.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Data is abstracted from
various survey responses and questionnaires, including demographics and is primarily related to
the quality and performance of various selected hospital services. The CC provides NRC with
visit status, unit location, MRN, name, address, DOB, visit and discharge date, protocol number,
Institute and Branch to identify a pool of CC patients who may receive the survey questionnaire
in the mail. The information collected in the questionnaires returned to NRC is used to target
areas for improvement to satisfy patient and staff expectations. Participation is entirely
voluntary and CC Administration is provided with de-identified aggregate data only. Submission
is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Consent is not obtained because participation is entirely
voluntary and because the data derived from the surveys and questionnaire is only provided in a
de-identified aggregate manner to the CC reviewers. Any individual can opt not to participate by
not responding to the survey mailed to them. Each particpant is provided a written introduction
and explanation of the survey in a cover letter. There has never been any major changes to the
system and none are anticipated at this time. If such changes do occur, each participant will be
notified directly. There are no other notification procedures in place.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The information is kept in a physically
secure location utilizing access controls that include security badges and key cards. Data is
protected by technical controls that include User ID, passwords, firewalls, VPNs, and card key
readers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Picture Archive
Communications System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC Picture Archive Communications
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The PACS collects, disseminates and stores
radiological images pertaining to Clinical Center patients and provides those images to
authorized caregivers involved in the delivery of clinical care or to scientists conducting
approved biomedical research. The information collected includes PII to identify specific
patients by name, medical record number and other identifiers. The RIS system collects the
radiologic imaging orders from CRIS and manages the DRD workflow to schedule the patients,
DRD human resources and required imaging scanners. The RIS system also provides
information to the workstation performing the scans. Admission to the Clinical Center is entirely
voluntary and each individual is informed of Clinical Center information practices and gives
informed consent before providing PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The PACS provides radiological images and PII identifying those images with specific Clinical
Center patients with authorized caregivers and scientists.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The PACS and RIS system
collects, disseminates and stores radiological images pertaining to Clinical Center patients and
provides those images to authorized caregivers involved in the delivery of clinical care or to
scientists conducting approved biomedical research. The information collected includes PII to
identify specific patients by name, medical record number and other identifiers. Admission to
the Clinical Center is entirely voluntary and each individual is informed of Clinical Center
information practices and gives informed consent before providing PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center is entirely voluntary
and each individual is informed of Clinical Center information practices and gives informed
consent before providing PII. The process may be completed again if major changes occur. All
notifications are done in hard copy or using secure email.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access is restricted only to authorized users
with a need to know and is secured using passwords and role based security. Servers are located
in the CC data center behind locked doors, monitored by CCTV and supported by redundant
power and cooling. Authentication with NIH PIVcard will occur at time of login to the NIH
Network using CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, Clinical Center, Privacy Officer
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC ProVation
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/25/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): CC Provation
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: CC Provation is a Major Application whose mission is
to digitally report findings from gastroenterological endoscopic exams of the upper and lower
gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical
practice in gastroenterology and considered a part of routine clinical care. Procedures are
recorded as they are done and the information for each procedure is collected from a particular
patient for a particular procedure.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PDF files of signed procedure reports are extracted from the Provation system and uploaded into
CRIS for reference in the patient's medical record.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CC Provation is a Major
Application whose mission is to digitally report findings from gastroenterologi-cal endoscopic
exams of the upper and lower gastrointestinal- tract, including the ability to record digital
pictures. It is part of modern clinical practice in gastroenterology- and considered a part of
routine clinical care. Procedures are recorded as they are done and the information for each
procedure is collected from a particular patient for a particular procedure.
The submission of the personal information is voluntary. The CC Provation system collects and
stores PII; specifically, medical record number and name.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Protocol consent forms are signed by each patient and
an information practices notification form is provided to each patient at the time of initial
admission. Data is retained on servers maintained by DCRI in the CC Data Center and a PDF file
of the procedure report is uploaded into the patient’s medical record.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical, Physical and administrative
controls are in place to ensure the security of the information. These include a Contingency Plan,
regular offsite backup of the data, and yearly security awareness training for all personnel.
The information is secured through multiple levels of security and access controls which have
been established to identify permitted users and to determine if the user has the authorization to
perform actions requested. The access controls are supplemented with a secure network at both
NIH and the CC.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Pyxis Supply Station
System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Pyxis Supply Station System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin, CC Privacy Officer
10. Provide an overview of the system: The Pyxis Supply Station System is an advanced
point-of-use system that automates the distribution, management and control of medical supplies
ordered by medical staff for Clinical Center patients.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Pyxis Supply System
collects inventory data and PII data that includes unique identifiers such as patient name and
medical record number to assure that the right patient gets the right medical supplies. The
submission is voluntary based on an individual's consent to become a registered patient at the
CC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patient demographics, including patient name, medical
record number and current hospital location are collected in CRIS Sunrise and shared with the
Pyxis Supply Station System. CC Information Practices Notification is provided to each patient
at the time of initial admission to the CC. If there is a major system change, each patient would
be advised at the time of subsequent admissions and a revised CC Information Practices
Notification would be provided to each patient.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The Pyxis Supply Station System and all
contained data are protected using administrative, technical and physical security controls. Pyxis
Supply Station dispensing units are located in controlled access areas of the CC nursing units.
Access to PII and privileges are based on user's assigned roles. The Pyxis Supply Station
application/database servers are located in the CC Data Center behind locked doors, monitored
by CCTV and Systems Monitoring staff in attendance around the clock. Additionally, the
system is logically located behind the NIH, CC and CRIS firewalls. Remote access to the Pyxis
Supply Station require use of the NIH VPN.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, Privacy Officer, Clinical Center
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Quadramed Nursing
Acuity System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH CC Quadramed Nursing Acuity System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: Quadramed Nursing Acuity System provides the
Nursing and Patient Care Services (NPCS) department with the functional ability to document
patient acuity on CC inpatients and outpatients. The Quadramed system utilizes the QuadraMed
Acuity-Plus application to collect staffing, acuity and visit data by way of input from CC Nurses
and the Automated Nurse Staff Office Schedule (ANSOS) system. The application then
provides recommended staffing levels to NPCS leadership.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Quadramed system
collects patient name, unique system identifier that is assigned to differentiate patient, location,
acuity assessments, admission, discharge and transfer dates from CRIS Sunrise. Additionally,
the Quadramed system collects NPCS staff names and roles. The information is analyzed to
project staffing requirements for the CC patient care locations. Patient information includes PII,
i.e., name, unique system identifier, admission, transfer, discharge dates and medical notes;
submission is voluntary. Staff information includes PII, i.e., name and role which is publically
available in NED. Staff information submission is a condition of employment.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients acknowledge CC Information management
practices at the time of first registration that include the collection of PII that is shared with
ancillary department systems such as Quadramed Nursing Acuity Plus. Patients would be
advised at the time of admission if major system changes occur, data uses or disclosures change.
The CC Information Practices Notice would be revised and provided to each patient at the
subsequent admission to the CC. NPCS staff would be advised of major system changes related
to PII by the CC Nursing Department. Notification may be done electronically or in written
form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII is secured using administrative controls
that include backup files, user manuals, and user training. Access and privileges in the
Quadramed Nursing Acuity System are based on the user's assigned roles. PII is additionally
protected by technical controls that require entry of a User ID and Password to open the
application. The application is logically located behind the CRIS firewall and requires the NIH
VPN for remote access. Only authorized DCRI IT staff have access to the Quadramed Nursing
Acuity System servers in the CC Data Center. The system hardware is protected by door locks,
CCTV, NIH security guards and Identification Badges. Authentication with NIH PIVcards will
occur at time of login to the NIH Network via CC CASPER for remote application users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Rehabilitation-Social
Security Administration Data Sharing System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC: Rehabilitation Medicine Dept - Social
Security Administration Data Sharing System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The Clinical Center Rehabilitation Medicine
Department (CC-RMD) at the National Institutes of Health (NIH) has agreed to assist the Social
Security Administration (SSA) to explore innovative methods for augmenting and improving the
current disability evaluation process. The first major line of work requires analysis of data from
longitudinal research files maintained by the Social Security Administration and assessing the
feasibility of developing Computer Adaptive Testing (CAT) instruments that can be integrated
into the SSA data collection and determination processes.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The research data set is only shared between the SSA and the specific RMD staff authorized to
perform statistical and other related analyses of the information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Analysis of data from
longitudinal research files maintained by the Social Security Administration Office of Disability
Program Information and Studies (ODPIS). These files house extensive administrative data,
including application data and decisional data. Each record represents one disability claim. Past
efforts to improve the quality and utility of the files were challenged by resource constraints.
Users of the data files will need to creatively problem-solve and formulate solutions to data-
related issues as they arise. The data includes limited personal identifiers including a pseudo
social security number, medical notes, and birth month and year. Data is submitted as part of an
application for a disability determination. The submission of data by applicants is required as
part of the process when applying for benefits. Sharing of the data with the RMD is entirely
voluntary on the part of the SSA.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All individuals are notified of use at the time of
disability filing and consent is written and maintained by SSA. Major changes will be
communicated by the CC CIO to the SSA Project Director. A limited data set, aka, research data
is shared between the SSA and the specific RMD staff authorized to perform statistical and other
related analyses of the information. In the event a change to the CC system would include a new
use or disclosure, the SSA Project Director would make a determination to notify individuals
whose data is contained in the CC system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: A limited data set, aka, research data is
shared between the SSA and the specific RMD staff authorized to perform statistical and other
related analyses of the information. Access is password protected and role based security is also
used. All data resides on a server and SAN solely dedicated to that purpose and is located within
the secure CC Data Center which uses state of the art backup and physical security measures.
Individual files include a scrambled social security number (aka pseudo SSN). The key to
unscramble the pseudo SSN is stored at the SSA to ensure protection of sensitive PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin , CC Privacy Officer
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Scheduling System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH CC Scheduling System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: An ASP web-based application used for scheduling
patient appointments in the Clinical Center. Schedules for physicians, nurses, ancillary care
givers, resources and locations are built so that specific schedules can be created and viewed. A
third-party contractor sends individualized appointment reminder letters to patients.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII is required for patient identification at the point of scheduling, as well as for contacting
patients and mailing them reminder letters regarding their scheduled appointments.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information is provided
from CRIS to support the scheduling functionality including patient and clinician demographics
which is used to create the specific appointments for each patient within the application.
Admission to the Clinical Center is entirely voluntary and each patient is advised of the specfic
information practices at the Clinical Center at the time of admission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each patient signs a consent to be admitted to the
Clinical Center and is advised as to each of the specific information practices at the Clinical
Center including how information about them will be stored and shared and for what purposes.
Major changes will be updated in the current information practices and patients will be informed
at the time of admission.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CC users and contractors have completed
information security and privacy training. Access to data is based on user role. SCI Solutions
security policy includes review of all incidents and action plans to mitigate, repair and prevent
damage. Access is restricted by firewalls, use of virtual IP and physical separation of database
servers from systems serving HTTP pages. Production systems access is limited to specific
need-to-know employees. Physical access is limited by locked doors, pass-coded ID, cameras,
etc. Authentication with NIH PIVcard will occur at time of login to the NIH Network via CC
CASPER for remote users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, Privacy Officer, Clinical Center, Department of Clinical
Research Informatics
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC StemLab
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0011
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CC StemLab
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Boyd Conley
10. Provide an overview of the system: StemLab is a clinical and administrative management
system. It manages and streamlines the unique work flow followed in the CC Dept of
Transfusion Medicine's stem cell blood laboratory. StemLab also supports stem cell processing
operations for bone marrow and apheresis products. The system also provides functionality to
meet quality assurance practices and regulatory compliance for cell therapy transplant services at
NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information related to donation and receipt of blood products for patients on IRB approved
protocols is shared with intramural clinical research team.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The StemLab system will
collect demographic information, medical notes and laboratory results on donors and NIH
research participants. The informaion is used by DTM staff to perorm routine tasks required by
the American Associatoin of Blood Banks and the FDA and support CC research protocols. The
system will collect PII on donors and NIH research participants. The submission is mandatory
since donations must be directly attributable to each individual donor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each individual donor is informed of required
information collection and uses before donation. Major systems changes would be sent directly
to each donor and new consents obtained upon new donations.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized persons with assigned roles
may have access to the system. The StemLab system is protected in the CC Data Center through
door locks and other physical controls. Access to StemLab is secured by technical controls;
including user identification and password protection. Authentication with NIH PIVcard will
occur at the time of login to NIH Network via CC CASPER for remote users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC Teramedica IS PACS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH CC Teramedica IS PACS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ron Levin
10. Provide an overview of the system: Teramedica IS PACS stores Digital Imaging and
Communications in Medicine (DICOM) formatted image data acquired from imaging devices on
the NIH network and images acquired from external research partners. The DICOM image data
from external research partners includes limited data in the MRI image headers per the approved
HIPAA release. The DICOM data from intramural research partners includes PII in the image
headers. The system is operated by CC Diagnostic Radiology Department (DRD) and CC
(Radiology and Imaging Sciences) RAD IS staff. Users include CC Radiology and Imaging
Sciences staff and NIH intramural research staff whose DICOM images are stored in the system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The Teramedica IS PAC system shares and/or discloses PII with Johns Hopkins Medical
Institutes. The PII data is incorporated in reports by Dr. Bluemke's research team following their
analysis of JHMI MRI images. The disclosure is pursuant to a JHMI IRB approved protocol
and an NIH IRB approved protocol.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The Teramedica system
collects DICOM images, names, dates of birth, medical record numbers, medical notes, gender
on NIH intramural research subjects for clinical research and analysis. (2) This information is
collected for the purposes of analysis of MRI images by members of the IRB approved research
study between Johns Hopkins Medical Institutes and the CC. (3) The information contains PII.
(4) Submission of PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NIH intramural research subjects are advised of data
uses at the time of admission to the Clinical Center in the CC Information Practices Notice.
Major changes in the use of their DICOM images in the Teramedica system would be
incorporated in an amended CC Information Practices Notice and provided to the CC patients at
the time of next admission.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII in the application is protected by
technical controls that include user ID and password, firewalls and NIH VPN with authentication
using NIH PIV Card for remote application users. The system hardware is located in Bldg 10
Data Center and Bldg 12 Data Center. The infrastructure is protected by guards, the use of
identification badges, key cards and retinal scan for access to Bldg 12.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240, [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CC TheraDoc
Epidemiology System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): CC TheraDoc Epidemiology System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sue Martin
10. Provide an overview of the system: The system provides the Hospital Epidemiology
Service with continuous infection surveillance, alerts, and analysis to help promote better and
more timely infection control practices.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Hard copy reports with PII are faxed as needed to Maryland, Virginia and District of Columbia
Public Health Depts in compliance with public health reporting requirements for infectious
diseases.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system captures and
maintains PII on registered Clinical Center patients, including demographics, lab results,
radiology results, admission/discharge/transfer information, vital signs, medications and selected
surgical information. PII is shared with staff epidemiologists and other care givers involved with
the treatment of patients at the Clinical Center. The collection of PII is voluntary since
admission to the Clinical Center and specific research protocol(s) is completely voluntary.
Additionally, the Clinical Center is required to collect infectious disease surveillance information
for JCAHO and the Public Health Service.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Admission to the Clinical Center is completely
voluntary and requires consent of each patient. In addition, each patient is provided a full written
accounting of established information practices at the Clinical Center , including the capture and
use of PII, and has the opportunity to ask questions and must acknowlege receipt of same
through their signature on the CC Information Practices Notices form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII resides on a server in the CC Datacenter
protected by restricted access and video monitoring. The server is behind the NIH & CC
firewalls. Access is granted by the application administrator to each indiviudal on a need-to-
know basis. Access will require password and specific security group inclusion. Passwords at
the NIH and application level require updates as required by NIH policy and users are
automatically logged off the system after inactivity.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Billing System
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CIT Billing System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Burke
10. Provide an overview of the system: The CIT Billing System provides comprehensive job
accounting and chargeback reporting. The blling system is integrated with CIMS to identify the
billable services that each organization uses and creates invoices that are presented to Customer
Accounts for payment.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
are account usage and costs associated with use. This data is used to create invoices and
summary reporting files for the central accounting system. The CIT Billing System is integrated
with CIMS to support fee for service and flat fee standard rates. the CIT Billings System collects
no sensitive information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Democracy II
Server Room [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): There is no PII - this is for a server room
5. OMB Information Collection Approval Number: There is no OMB ICA Number - this is
for a server room
6. Other Identifying Number(s): There are no unique identifying numbers
7. System Name (Align with system Item name): Democracy II Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Santos
10. Provide an overview of the system: This is a development and test environment used by
CIT's Division of Enterprise and Custom Applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: There is no PII - this is for a
server room
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no PII - this is for a server room
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII - this is for a server room
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Division of
Computational Bioscience Systems [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3103-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Division of Computational Bioscience
Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anthony Fletcher
NIH/CIT/DCB
10. Provide an overview of the system: This system (“DCB Systems”) is used to provide CIT
support for the Institutes and Centers (IC) at NIH. DCB collaborates with the NIH intramural
research program to provide expertise and develop software on computational research problems
of significance to the ICs. DCB Systems host this software which includes development and pre-
production versions. The application areas include molecular modeling, protein structure
prediction, biomedical imaging, mathematical modeling, and biomedical informatics.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
SOR 09-25-0200 This information is addressed in the NIH Privacy Act Systems of Record
Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CIT/DCB does not collect
any of the data it uses in its research and collaborations with the Institutes. DCB develops tools
for principal investigators to use in collecting data. DCB merely keeps a copy of the data, which
depends on the protocol but may include IIF such as name, date of birth, phone number, medical
records, medical notes, and gender. The principal investigators with whom DCB collaborates
determine which data will be collected. All data are provided voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Any IIF data in the system are obtained from the ICs
with which DCB collaborates, particularly NINDS. The processes by which the IIF data are
collected are determined by the principal investigators in charge of the protocols. The clinical
staff at NINDS handle all consent forms and notifications. DCB has no processes in place in
addition to those processes provided by NINDS.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Restricted physical and logical access; no
project personnel will be allowed to see project data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT CIT Status of Funds
Internet Edition [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): There is no PII.
5. OMB Information Collection Approval Number: There is no PII.
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): Status of Funds Internet Explorer (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robin Lyons
10. Provide an overview of the system: SOFie is a Web based application employing
Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several
offices and branches within CIY, allowing budget offices to track expenditures of direct,
reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect
budget allocations and projected expenditures at the operating level. The program also contains a
tracking mechanism to track prior year funds. The application downloads this information from
the NIH Data Warehouse weekly. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
There is no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: SOFie is a commercial-off-
the-shelf web-based application tool for providing advanced financial reporting and analysis.
The application supports an Excel interface that allows for the development of spreadsheets
using custom functions that extract real-time expenditure, budget, and planning data from the
SOFiE database.
The CIT/FMO uses SOFie to track expenditures of direct, reimbursable, and non-appropriated
funds in the fiscal year. Additionally, SOFie is used to reflect budget allocations and projected
expenditures at the operating level. The program also contains a tracking mechanism to track
prior year funds. The data used by SOFie is downloaded from the NIH Data Warehouse weekly.
SOFie is not a source database for other information systems. SOFie does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Consolidated
Colocation Site [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): This is not applicable; there is no PII.
5. OMB Information Collection Approval Number: 009-25-02-00-01-3109-00
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH Consolidated Co-Location Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adriane Burton
10. Provide an overview of the system: The NIH Consolidated Co-Location Site (NCSS) is an
off-campus site used to house IC servers, including CIT servers. The NCCS is a secure,
environmentally controlled facility located approximately 30 miles from the NIH campus in
Northern Virginia. Multiple telecommunications links between NIH and the NCCS provide
extremely high bandwidth. These links are part of NIHnet which is managed and operated by
the CIT Division of Network Systems and Telecommunications (DNST).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This C&A is for a facility
only; this does not include any data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This C&A is for a facility only; this does not include
any data.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This C&A is for a facility only; this does
not include any data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center
Collaborative Technology
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 009-25-02-00-01-3109-00-109-026
6. Other Identifying Number(s): There are no other identifying numbers.
7. System Name (Align with system Item name): NIH CIT Data Center Collaborative
Technology
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center provides video casting and web
collaboration services to the NIH and HHS communities. Video casting allows customers to
broadcast lectures, seminars, conferences, or meetings live to a broad audience over the internet
as a real-time streaming video. Web collaboration provides web conferencing and online
collaboration for real-time information sharing and document collaboration.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only information
collected from individuals is their name and work-related information solely for the purpose of
establishing user accounts for using the web collaboration service. This information is only
collected from NIH/federal staff.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/OD/EO/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Scientific
Computing
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 009-25-02-00-01-3109-00-109-026
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH CIT Data Center Scientific Computing
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center scientific computing services
provides high-performance scientific processing services to the NIH intramural research
community. A wide range of scientific applications and web-based tools are provided to ease
and enhance scientific research. Two processing platforms support the scientific applications:
Helix is a multiprocessor shared-memory system for interactive use and Biowulf is a 6300+
processor cluster for large computational processing. Users are responsible for the protection of
their data; Helix and Biowulf provide the tools for doing so.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only information
collected from individuals is their names and work-related information such as office locations,
phone numbers, etc., solely for the purpose of establishing user accounts on the scientific
computing services hosts. No personally-identifying information is collected, maintained, or
disseminated as part of the scientific services. This information is collected from NIH
employees and contractors only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Unix
Hosting
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH CIT Data Center Unix Hosting
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center provides Unix application
hosting services to NIH Institutes and Centers (ICs), the U.S. Department of Health and Human
Services (HHS), and other federal agencies. The NIH Center for Information Technology (CIT)
is responsible for the management and administration of the Unix general support system - the
operating system and Oracle relational database management system. Data and applications are
the sole responsibility of the application owners. CIT provides the environment and utilities that
enable customers to effectively manage the security of their applications and data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only information
collected from individuals is their names and work-related information such as office locations,
phone numbers, etc., solely for the purpose of establishing user accounts on the Unix hosts. No
personally-identifying information is collected, maintained, or disseminated as part of customer
support for Unix services. This information is collected from government employees and
contractors only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Windows
Hosting
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH CIT Data Center Windows Hosting
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center provides Windows application
hosting services to NIH Institutes and Centers (ICs), the U.S. Department of Health and Human
Services (HHS), and other federal agencies. The NIH Center for Information Technology (CIT)
is responsible for the management and administration of the Windows general support system -
the operating system and Microsoft SQL relational database management system. Data and
applications are the sole responsibility of the application owners. CIT provides the environment
and utilities that enable customers to effectively manage the security of their applications and
data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system does not collect,
maintain, or disseminate any information. Only authorized government employees and
contractors have access to the servers using their nih.gov domain accounts. The information
used to create the accounts is collected and stored by the NIH Employee Directory (NED)
application and the information related to the domain accounts is stored in the nih.gov domain
Active Directory database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center Windows
Infrastructure
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH Windows Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center provides a Windows
Infrastructure service that enables NIH users to access various services and systems in the
nih.gov domain. Active Directory (AD) forms the core of this service. AD is an implementation
of an LDAP (Lightweight Directory Access Protocol) directory service. AD is built around the
Domain Name System (DNS) and LDAP. AD contains information about users and resources
that allows it to manage nih.gov resources and broker the relationships among them.
The NIH Data Center provides two utilities for users to make updates to Active Directory:
Active Directory Manager (ADM) and Password Self Service (PSS). ADM provides a Web
interface for NIH IC administrators to manage their IC AD resources; i.e., it is used to access AD
data. PSS provides a Web interface that allows users to reset their forgotten passwords
(maintained by AD).
PSS uses a question/response verification for the password reset. The questions and answers are
stored in the AD database in encrypted format. Users self-register for PSS and choose three
questions from the following list for their challenge/response:
What is the last name of your favorite school teacher?
What is the name of your favorite sports team?
What is the name of your favorite singer or band?
What is the name of your favorite television series?
What is the name of your favorite restaurant?
What is the name of your favorite movie?
What is the name of your favorite song?
What is the furtherest place to which you have traveled?
What is the name of your favorite actor or actress?
Who is your personal hero?
What is your favorite hobby?
Your mother's first name?
The city name or town name of your birth?
A four digit PIN (personal identification number)?
What is your least favorite sports team?
What is your mother's occupation?
What was your SAT score?
What is your favorite brand of candy?
What is your least favorite food?
What is your least favorite beverage?
What was your first pet's name?
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: AD information on
individuals is solely used for establishing nih.gov domain accounts. The information is imported
form the NIH Enterprise Directory (NED) and contains names and work-related contact
information such as office locations, phone numbers, etc. No personally-identifying information
is collected, maintained, or disseminated as part of customer support for infrastructure services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Enterprise Messaging
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH CIT Enterprise Messaging
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Yang
10. Provide an overview of the system: The NIH Data Center Windows service provides the
NIH-wide corporate messaging capability. This includes electronic mail, Microsoft Exchange
electronic mail (email), and all necessary supporting services: Outlook Web Access (OWA) for
users to access their mail using a Web browser; Electronic FAX for users to send and receive
faxes in their mailboxes; support for users to access their mailboxes from portable devices
(PDAs) (e.g., BlackBerry); instant messaging (IM); secure file transfer (SEFT) for sending large
documents; NIH Listserv to support mail distribution to a large community; and SPAM filtering.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Other than serving as a
messaging distributer, the system in and of itself does not collect, maintain, or disseminate any
information. Only authorized government employees and contractors have access to the
messaging servers using their nih.gov domain accounts. The information used to create the
accounts is collected and stored by the NIH Employee Directory (NED) application and the
information related to the domain accounts is stored in the nih.gov domain Active Directory
database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT ePolicy Orchestrator
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): There is no SOR for this application.
5. OMB Information Collection Approval Number: There is no PII in this application.
6. Other Identifying Number(s): There are no other identifying numbers.
7. System Name (Align with system Item name): ePolicy Orchestrator
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Connie Latzko
10. Provide an overview of the system: This is a COTS product used for antivirus protection,
tracking, removal and reporting for CIT systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not contain any IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system does not contain
any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system does not contain any IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not contain any IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Infrastructure
Graphical Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): There is no SOR needed - no PII exists in this system
5. OMB Information Collection Approval Number: This does not apply - there is no PII in
this system
6. Other Identifying Number(s): There are no other identifying numbers
7. System Name (Align with system Item name): Infrastructure Graphical Database (CIT
Archibus)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tony Trang, NIH/CIT/DNST
10. Provide an overview of the system: This is the National Institutes of Health (NIH)
infrastructure assets management system used to track cabling and telecommunications
infrastructure information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
There is no IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: There is no IIF. This system
collects infrastructure, telecommunications and cabling pair information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT KNOVA [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable.
5. OMB Information Collection Approval Number: Not applicable.
6. Other Identifying Number(s): Not applicable.
7. System Name (Align with system Item name): KNOVA
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Phil Day
10. Provide an overview of the system: This is a Commercial-Off-The-Shelf (COTS) product
that provides help desk knowledge base services. It allows agents to type in the customer issue
and then be presented with a variety of options depending on their search, including tailored
search results, Q&A dialogs, and fields to fill in. It can exchange problem and incident
management data with the Customer Relationship Management (CRM) system however no IIF
data from the CRM system will be available to Knova. All customer information and IIF is
collected in the CRM system, only technical problem related information is entered into Knova.
Any integration between the two will strictly pass non-uniquely-identifiable problem information
from the CRM to Knova, and then pass resolution information back from Knova to the CRM. No
IIF will enter Knova.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
There is no IIF contained within this system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a help desk
knowledge management tool and as such, non-uniquely-identifiable information about technical
problems and how to solve them will be housed in the system. These solutions are technical in
nature (how-to's etc) and do not contain IIF. These solutions will be available to the NIH IT
Service Desk and, in the future, support staff and the NIH user community. The information will
be used to assist the NIH community with technical issues. There is no IIF in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no IIF contained within this system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no IIF contained within this system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT National Database for
Autism Research [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3110-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200; 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): National Database for Autism Research
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matthew McAuliffe, Ph.D.
10. Provide an overview of the system: NDAR, the National Database for Autism Research, is
a collaborative biomedical informatics system being created by the National Institutes of Health
to provide a national resource to support and accelerate research in autism. *
NDAR will make it easier and faster for researchers to gather, evaluate, and share autism
research data from a variety of sources. By giving researchers access to more data than they can
collect on their own and making their own data collection more efficient, the time to discovery
can be reduced.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF information is not shared on research participants. However the PI’s granted access to data
will give permission to post their name on the NDAR Web site with the research aims. The
purpose of this is facilitate transparency in how NDAR data is being used. PIs who submit
information to NDAR will not have their information posted on the Web site.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system will collect a
wide variety of clinical information including images of the brain, genetics information, and data
from diagnostic criteria specific to clinicians in the autism field. Recent changes to NDAR make
sure that all IIF on research subjects (used to generate encrypted hashes that allow cross
checking studies for the same individuals) is kept at the researcher’s institution.
NIH will collect IIF on PIs who submit information about research participants to NDAR. This
information will be used by NIH to document, track, monitor and evaluate NIH clinical, basic,
and population-based research activities.
NIH will also collect IIF on PIs who wish to gain access to the information. This information
will be used to document, track, monitor, and evaluate the use of NDAR datasets and to notify
recipients of updates, corrections or other changes to NDAR.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) As part of the research protocol, all subjects will be
required to fill out consents that describe how their information will be used even though NDAR
will contain no IIF on research participants. If these change or expire, all participants will be
contacted.
PIs submitting information to NDAR and accessing information from NDAR will sign relevant
agreements for submission and access, both of which include a Privacy Act notification.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: 1) Management policies require that all new
users be part of an approved site, with the request coming through a system administrator.
2) Technical Controls require that each user log in to the NDAR application with a unique user
name and password. Additionally, the password is set to expire after 75 days, must be at least 8
characters long, with at least 2 of the following character types: Control Character, Number,
Capital Letter.
3) Physical Controls require badged access to all server rooms, with badge lockdown policies in
line with existing NIH procedures.
Physical rack will be key-locked.
Physical rack will be located in data center behind both biometric and keycard access with 100%
identification badge check by 24/7 security guard. The Data Center is behind 3 independent 24/7
security guards that will perform identification badge checks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Application
Manager [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Application Manager (NAppMan)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tanita Durant
10. Provide an overview of the system: The intention of NAppMan is to alert a responsible
individual when an application on NIHnet is not available or is suffering a problem of some sort.
It summarizes information received from underlying monitors that more directly monitor the
application and maintains statistics.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NAppMan system does not collect IIF and therefore cannot disclose or share IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NAppMan stores application
up-time information including the date and time of occurrence, the name of the application
component, and the status of the component, its relationship to other components, and business
rules to represent the status properly at higher levels. No personal information, or IIF is
gathered.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is being collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is available in the NAppMan system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Business
Intelligence System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-01-3105-00-404-142
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018 and 09-90-0024
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH CIT Business Intelligence System
(NBIS) (nVision)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael Foecking
10. Provide an overview of the system: The NIH Business Intelligence System (NBIS) is an
enhanced data warehouse that is a consolidation of the legacy data warehouse, and the next
generation data warehouse, nVision. It is designed to improve reporting capabilities of the NIH
business source systems. This consolidation integrates the query and reporting capabilities of
NIH business systems into one system. The legal authority is referenced in HHS Privacy Act
Systems of Record 09-90-0018 and 09-90-0024.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Only authorized personnel have access to this data. PII is shared with the NIH FOIA officers
who vet requests for information that is received from the public.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency collects both
administrative and financial data. This data is collected from NIH source systems and includes
name, DOB, SSN, education records, employee status, business mailing address, e-mail address
and phone numbers, and is used for business reporting purposes. NIH BIS only collects the
following PII when users are registered for NIH BIS : Username, Full Name, Phone Number,
Office, Email, and Institute. This data is used for support, reporting, auditing purposes. This
data is mandatory for any users of the NIH BIS system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Agreements have been obtained from the NIH source
systems in collaboration with the business community requirement groups to provide the data
needed to support the mission of NIH. The warehouse and source systems teams are in constant
communication with regards to the data and changes in that data or access permissions granted to
users. Users sign the NIH BIS registration form, consenting to the use of PII for NIH BIS
registration purposes. When a major change occurs to the NIH BIS system, users are notified by
email. A privacy statement is posted on the NIH BIS website.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NBIS administrative controls include C&A,
a System Security Plan, a Contingency Plan, system backups, and documented procedures.
Technical controls include a User ID and strong password to access the system and access is only
granted when there is a documented request by an authorized official. Other technical controls
include Firewalls and VPN. Physical controls to the server room include guards, ID Badges,
Key Cards and locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Data Center -
Building 12 [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Data Center (Bldg 12)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adriane Burton
10. Provide an overview of the system: NIH Data Center is a controlled access facility for
housing (1) CIT-provided general support systems that host NIH, HHS, and other federal agency
applications, (2) scientific computing services for NIH researchers, and (3) NIH infrastructure
servers (Active Directory, email, and networking (NIHnet)). The facility also provides monthly
rental space for housing customer-owned and operated equipment. An off-campus site, the NIH
Consolidated Co-Location Site (NCSS) provides space for housing IC servers in a secure,
environmentally controlled vendor-provided facility located approximately 30 miles from the
NIH campus.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Enterprise
Directory [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026 (under NIH
IT infrastructure)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): 009-25-02-00-01-3109-00-109-026 (under NIH IT
Infrastructure)
7. System Name (Align with system Item name): NIH Enterprise Directory (NED), HHS/NIH
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bobbye Underwood
10. Provide an overview of the system: The purpose of the NIH Enterprise Directory (NED) is
to maintain accurate, current locator and organization information for individuals utilizing NIH
services or facilities, and to provide the basis for physical and information security systems.
NED is used to authorize and provision NIH services such as ID badges, NIH Library access,
Listing in the NIH Telephone and Services Directory, red parking permits, Active Directory
accounts, Exchange mailboxes, and VPN remote access privileges. NED provides data to dozens
of NIH applications and systems in support of numerous business processes.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NED system shares or discloses PII with a number of NIH and HHS systems including LMS
(HHS Learning Management System), IDMS (HHS Identity Management System), HRDB (NIH
Human Resources Database), BITS (NIH Background Tracking System), EDiE (NIH Employee
Database Internet Edition), EMIS (NIH Ethics Management Information System), NIH Radiation
Safety Database, and AlertNIH (SendWordNow). Contact the system owner for a complete list
of systems. NED shares PII for a variety of reasons including personal identity verification,
provisioning of NIH services, record matching, and in support of various NIH business
processes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NED contains individual
identifying information, such as a person’s name, HHS ID number, date of birth, place of birth,
Social Security Number (SSN), and ID photo as well as information for locating or contacting a
person at work or home, such as their email address, postal and delivery addresses, telephone
numbers, organizational affiliation and classification (e.g., Employee, Contractor).
NED was developed to provide a convenient, single, logical source of identity and locator
information at NIH. NED obtains, from the HHS Identity Management System (IDMS), and
maintains a public identifier (HHS ID number) that follows a person throughout his or her NIH
career. HHS ID numbers have been incorporated into numerous NIH systems and business
processes and are tied to a common set of normalized data for all members of the NIH
workforce. NED eliminates the need for application-specific repositories of people data, thus
reducing the cost of application development and maintenance. This also reduces the amount of
redundant data entry, since NED provides a single place to update people data used by a number
of major applications.
NED makes deregistration of individuals occur more reliably when they leave NIH. Applications
connected to NED can take advantage of this to deactivate accounts and revoke authorizations,
thereby improving security. For example, when an individual is deregistered in NED, this
deactivates their record in the ID badge system, which revokes their card key door lock access.
Submission of personal information is mandatory if the individual is to be employed with the
National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NIH administrative staff has the option of requesting
that an individual enter their PII directly into NED and the individual must agree to the following
prior to submission: “I hereby authorize the release of information in this application to
appropriate Federal agencies for the purposes of processing this application and verifying my
identity. I also acknowledge that if I provide or assist in the provision of false information or
non-verifiable information, and/or I purposely omit information, it could result in loss of access
to HHS facilities and IT systems and in disciplinary action including removal from Federal
service or a Federal contract, and I may be subject to prosecution under applicable Federal
criminal and civil statutes. I declare under penalty of perjury that the foregoing is true and
correct.” When NIH administrative staff enters an individual’s PII themselves, they must certify
that the information is being entered using information from section A of a completed HHS-745
ID Badge Request form that was signed by the individual.
There are no other processes currently in place to obtain additional consent from the individual
whose PII is stored in NED regarding what PII is being collected for them or how the
information will be used or shared. There are also no processes in place at this time to obtain
consent from the individuals whose PII is in the system when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Carson Associates completed a NED system
recertification and the NIH DAA signed an ATO on 7/14/2010. As part of the C&A, security
controls were reviewed, validated and tested to ensure that NED adheres to the standards
required for operating as a MODERATE system. As part of the C&A process, a Plan of Action
and Milestones was developed, addressing all areas requiring attention in order to achieve full
compliance.
NED production and development servers reside in the NIH Computer Center machine room
located in building 12A on the NIH main campus in Bethesda, MD. The NIH Center for
Information Technology/Division of Computer System Services (CIT/DCSS) hosts and operates
all servers. Physical and environmental controls are described in the NIH Computer Center C&A
documentation, and is sufficient for the sensitivity level of the NED system. NED utilizes the
NIH computer network (NIHnet) operated by CIT's Division of Network Systems and
Telecommunications (CIT/DNST). NED physical, network and operating system security
controls are maintained by CIT/DCSS and CIT/DNST as part of a service level agreement
(SLA). The NED C&A defers to the DCSS and DNST C&A information on controls. In
addition, the NIH Computer Center undergoes a SAS 70 audit and is currently in compliance.
All staff on the NED development and management team have appropriate position sensitivity
levels. Background investigations are either complete or underway. Users of the NED web
applications are responsible for the professional use of their accounts and user passwords as
outlined in the NIH Rules of Behavior and are required to take NIH Security Awareness Training
with annual refresher modules. Core users of the main NED web application
(https://ned.nih.gov/ned) include users with the AO (Administrative Officer) or AT
(Administrative Technician) role. NED IC Coordinators or existing AO users grant, modify, and
remove AO and AT access using a NED web interface. NED system administrators authorize
people for other system roles upon request by an authorized NIH business owner. AO and AT
maximum scope of authority is limited to records affiliated with their own Institute or Center
(IC) and may be further restricted to records affiliated with specific organizations in the IC. NED
automatically removes the AO and AT access when their NED record is deactivated or
transferred to a different IC. Authentication to NED is via NIH Login, which uses NIH Active
Directory accounts.
CIT/DCSS is responsible for the operation, maintenance, and support of NIH Active Directory.
Following authentication using NIH Login, NED record owners are able to view private
information contained in their own record via a secure website from a computer attached to
NIHnet. Internet users can assess a limited amount of NED public data without authenticating.
NIH/CIT/DCSS staff performs most NED Oracle database administration activities (e.g.,
backups, logging and operating system support). NED staff manages the Oracle accounts used by
downstream applications for accessing NED data stored in Oracle. NIH/CIT/DCSS staff
manages the NIH Titan mainframe accounts used by downstream applications for accessing
NED data stored in the DB2 database that resides on the mainframe computer. The NIH Privacy
Office must authorize access by downstream applications to private data covered under the NED
SORN. Following NIH Privacy Office approval, NED staff provides written confirmation to
NIH/CIT/DCSS when requesting that access to private data be granted to a Titan account.
The NIH Incident Response Team (IRT) has established the NIH Incident Handling Procedures,
which outline how to handle, report,
and track incidents and/or problems. The procedures describe the roles of the IRT and ISSOs.
The IRT has a 24 x 7 contact number available to ISSOs (301-881-9726) and can be reached at
IR[email protected]ov.
NED has a configuration management process where all system code is maintained under change
control.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France (NIH/CIT) [email protected]
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Integrated
Service Center [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional numbers.
7. System Name (Align with system Item name): NIH Integrated Services Center (includes
NIH Login)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Yvonne Brooks
10. Provide an overview of the system: The Integrated Services Center includes NIH Login
and TIBCO. NIH Login provides a single authentication mechanism for NIH enterprise systems
and IC specific applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF is shared or disclosed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: There is no data collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no data collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Portal [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Portal
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Renee Edwards
10. Provide an overview of the system: The NIH Portal is a web-based application that gives
NIH staff a single point of access to the data, documents, applications and services available at
the National Institutes of Health.
The NIH portal enables employees to bring together in one site the links to NIH data and
documents used to support the mission of the NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIH Portal maintains
links to NIH data and documents that NIH staff use to support the mission of the NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A - There is no IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIHnet [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIHnet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Renita Anderson
10. Provide an overview of the system: NIHnet is the network backbone infrastructure for the
U.S. Department of Health and Human Services (HHS), National Institutes of Health (NIH).
NIHnet provides data transport services, network security services and commodity Internet
services to the NIH`s 27 Institutes and Centers (ICs). NIHnet also provides connectivity from
NIH to the HHS Operating Divisions (OPDIVS) and Staff Divisions (STAFFDIVS) via HHSnet.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIHnet provides data
transport services for NIH Institutes and Centers. Per NIST SP 800-60 NIHnet maintains
Information and Technology Management information (e.g., IT infrastructure maintenance, IT
security, system development, etc.). NIHnet does not collect, maintain or disseminate IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Remedy Problem
Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Help Desk Ticket Tracking System (CIT
Remedy)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Ohlandt
10. Provide an overview of the system: The system was used by the IT Support Community at
NIH to track customer technical issues from the time of first contact to the point of problem
resolution. Authorized users from NIH and certain sister agencies can log in, enter tickets, track
their own tickets, and view tickets for other users within their own area.
This software system is being phased out effective September 1, 2012 and will be in effect
through November 30, 2012.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is disclosed only to other support organizations within NIH or with HHS
organizations outside of NIH with whom we share an SLA. SOR 09-25-0216
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Name, business contact
information, business computer information, and IT support issue information is collected.
Submission is voluntary. Information is shared in order to provide technical support, training,
and other support services to the customer.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Consent is voluntary and is provided by users of NIH
services in order to obtain IT support. Any changes to data collected will be addressed at the next
contact with the customer. No disclosure is made outside the scope of this statement therefore no
additional consent is needed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical hardware is located in a secured
machine room environment and accessible only via cardkey and/or biometric retinal scanning.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Scientific Coding
System OnDemand [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-3106-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Scientific Coding System (SCS) OnDemand
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aileen Kelly
10. Provide an overview of the system: SCS OnDemand is a scientific coding and reporting
IMPAC II extension system application. The data included in the system is required for NIH to
fulfill its scientific reporting obligation to the Public, Congress, and the White House, for
national health policy and goals.
SCS uses the IMPAC II Reporting Database (IRDB) as the primary data source. SCS users also
have the ability to add projects (e.g. contracts) to the system that are not included in the IRDB.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not disclose IIF. SOR is 09-25-0036
09-25-0038
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) PI Name (mandatory and
extracted from IMPAC II) – used as a business point of contact on grants and contracts
2) PI Birth Year (mandatory and extracted from bio-sketch info from the abstract/summary
statement, or other internet data sources, and then entered into SCS by the Scientific Coder) –
used for analysis of the NIH scientific program
3) PI Gender (mandatory and extracted from bio-sketch info from the abstract/summary
statement, or other internet data sources, and then entered into SCS by the Scientific Coder) –
used for analysis of the NIH scientific program.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Will use Privacy Act Notification Statement as defined
by IMPAC II. Wil use the same format as that of IMPAC II to notify users.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The SCS is hosted by the NIH Data Center
which provides the administrative, technical and physical controls. Technical controls will
include the use of user ids, passwords, and a firewall. Physical access controls will include the
use of identification badges and key cards. Administrative controls will include a security and
contingency plan. Additionally, files will be backed up using the schedule defined by the NIH
Data Center. User manuals will also be provided.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Symantec
Management Console [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Symantec Management Console
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Connie Latzko NIH/CIT/DCS
10. Provide an overview of the system: Symentec Management Console is an agent based
systems management solution used to provide hardware and software inventory, patch
management, and software delivery for CIT commodity desktops.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
includes Machine Hardware, Software, IP address, User ID, User Location (Imported from the
GAL) and status of Tasks run or to be run on the machine. This data is collected to improve the
efficiency of managing and the security of CIT desktops and clients supported by CIT desktop
support. The purpose is to manage the client system. i.e.: Provide missing patches, deliver
software packages, to provide assistance for determining hardware/software upgrades required
(such as minimum hardware requirements to run a new OS or Application). No IIF is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is collected
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CIT Titan [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH Titan
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Dussault
10. Provide an overview of the system: Titan is a general support system that hosts a wide
range of applications. Provided services include:
•Batch processing with the capability to process hundreds of concurrent jobs
•Interactive systems
•Scientific Statistical systems
•Language compilers
•Databases
•Web hosting
•Central printing
•Disaster Recovery
•Automatic data backup
•Gateways for client/server applications
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only information
collected from individuals is their names and work-related information such as office locations,
phone numbers, etc., solely for the purpose of establishing user accounts on Titan. No
personally-identifying information is collected, maintained, or disseminated as part of customer
support for Titan services. This information is collected from government employees and
contractors only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michele Mulholland France, CIT/NIH
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Blanket Purchase
Agreement - Hotel Application Tool (BPA HAT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Blanket Purchase Agreement -
Hotel Application Tool (BPA HAT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: This database shall replace the current paper based
process for accepting, reviewing and approving NIH Blanket Purchase Agreement (BPA) hotel
applications. In addition, this system shall automate workflow through auto-generated alerts,
emails and access to a centralized repository. The overall objective of this project is to minimize
these manual touch points and increase the efficiency of the business processes for a new or
renewed BPA application through a workflow engine / SQL database.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system discloses PII to CSR system administrators for the purpose of maintaining and
enhancing the system. The Hotel representative (non federal employee) enters their PII
information (name) into the system for the purpose of streamlining workflow for their BPA. The
NIH BPA Office (federal employees) also access the system for view only access. Only the NIH
BPA office and the CSR SREA office (federal employees) will be reviewing the information in
the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Hotel User Name, Duns
Number (a nine-digit number issued by Dunn & Bradstreet (D&B) and assigned to each business
location in the D&B database having a unique, separate, and distinct operation to businesses for
the purpose of identifying them), EIN Number (Federal Tax Identification number), legal
business name, Business email address, Hotel address (city, state, zip). The NIH BPA Office
may upload NIH form SF 30 or 347 in relation to a particular Hotel that receives a BPA award.
** The DUNS # is not PII.
(2) To review Hotel information and award Blanket Purchase Agreements.
(3) Yes information contains PII.
(4) Submission of personal information is mandatory which includes hotel representative name
(non federal) and hotel representative email address (corporate/personal)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1). The Hotel user will be notified via email when
there are changes to the system.
(2). The individual is voluntarily placing their information into the system. There is a privacy
disclaimer and a link to the CSR statement is provided in the footer.
(3). The information stored in the system is not accessible to anyone outside of HHS/NIH in a
manner that identifies the individual except for the Hotel user themselves and except as
permitted by the Privacy Act. The information will be used and shared for federal procurement
and communication with Hotel representatives.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII is secured through Technical
controls: User ID and passwords have to be used for network authentication.
Administrative controls: Documented training materials as well as face to face training will be
provided.
Physical controls: Security guards, ID badges, and Key Cards are used to gain access to Sterling
where the system will be housed.
The required password strength for CSR and NIH users is implemented by NIH through logical
access controls that provide protection from unauthorized access, alteration, loss, disclosure, and
availability of information in accordance with HHS information Security Program.
The SREA office will go on a Road Show to go through the steps of the application process.
Estimated road show is 10/10, 11/10, and 12/10.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR College of CSR
Reviewers
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH-CSR College of CSR Reviewers
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The College of Distinguished Reviewers database
maintains the profiles of grant reviewers, email address and their review performance history to
enable effective time management in the assembly of a pre-screened and pre-committed pool of
highly qualified reviewers. College of CSR revieweres agree to review up to 12 applications a
year during a two-year period.
College reviewers primarily will provide written or "mail-in" critiques and be involved in two-
stage reviews, which have successfully assessed thousands of special sets of applications, such as
the Transformative RO1 and Challenge grant appliations and small business applications.
In these reviews, the College reviewers will serve as firt-stage experts to assess each application
and submit their critiques online. A second panel of reviewers with broad expertise will then
examine the critiques and applications, focusing on the impact of the proposed research adn
assigning in a more consistent fashion final overall impact/priority scores.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System shares the reviewers email address and name, however email address is either home or
business email address. The system shares it's data only in CSR with senior administrators. The
purpose is for CSR senior administrators to determine the best reviewers based on expertise.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1). Lastname,
FirstName,Title, Department, Institution, Email, Phone, Expertise keywords from RCDC and
from reviewer, eRA commonsID, SRORating, Funding Hisotry, Review History, PubmedID,
Publications,Commitment, SubscriptionEndDate, VerificationCode, IsExpertiseURLExpired,
Lastmodifieddate.
(2). CSR shall collect this information for the purpose of establishing the best set of reviewers
based on background and expertise.
(3). The phone number and email address provided by the reviewer can be either a personal or
buisness contact information.
(4). The submission of this data is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1). The consent is obtained electronically through an
email verifying participation in the College of CSR Reviewers provided by the Reviewer.
(2). The individual is notified via an email request if they would like to participate in the
College of CSR Reviewers and provided the requested information. The information is
voluntarily submitted by the potential reviewer.
(3). Individuals will give notice of their consent via email notification. The individuals will self-
consent by providing the requested information to take part in the College of CSR Reviewers.
The information stored in the system is not accessible to anyone outside of HHS/NIH in a
manner that identifies the individual except for the applicant themselves and except as permitted
by the privacy act.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII is secured through Technical
controls: User ID and passwords have to be used for network authentication.
Administrative controls: Training provided as needed. The system is backed up on a regular
basis.
Physical controls: Security guards, ID badges, and Key Cards are used to gain access to Sterling
where the system will be housed.
The required password strength for CSR and NIH users is implemented by NIH through logical
access controls that provide protection from unauthorized access, alteration, loss, disclosure, and
availability of information in accordance with HHS information Security Program.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Committee
Management Application
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Committee Management Application
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The Committee Management Application is a sub-
application of the existing employee database (NIH Enterprise Directory via the CSR Intranet)
which stores employee committee involvement data. The system also has a reporting capability
for management and committee members.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The Committee Management Application allows senior management access to query and report
functions. Other access will be granted on a need-to-know basis as determined by senior
management. Application administrators will have access to add, edit, and delete all committees
and memberships. Employees will have read-only access to their current list of committee
memberships through a link in the employee information update screen located on the CSR
Intranet. This application is only accessible to NIH employees and NIH/CIT employees as
needed since the application resides on a CIT server.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Application includes
information on NIH/CSR Committee name, membership of committee, and member contact
information (NIH email and phone number). (2) NIH/CSR uses this application to remove the
manual touchpoints, i.e. paper, and streamline the flow of data to users and management. (3)
Yes, PII data in the form of the employee name, NIH email address, and NIH phone number. (4)
Per CSR policy, amm committee membership rosters are included.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) N/A - no major changes anticipated. (2) On the CSR
Intranet (the parent system to this application) a message is displayed to the employees
explaining the purpose and protections in place to safeguard information. (3) Users have read-
only access to view committee memberships; administrators have add, edit, and delete capability
for all committee memberships; developers/contractors have access to maintain and operate the
application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative Controls: role-based access;
appropriate system security plan, contingency plan, file back-up, training of users, and retention
and destruction policies are in place.
Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR
systems.
Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR CSR Sterling GSS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): CSR-2
7. System Name (Align with system Item name): CSR Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: Provides information on all aspects of CSR work to
CSR and NIH staff. Authorized by Section 301 of the PHS Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Provides information on all aspects of CSR work to CSR and NIH staff. The system provides
contact information to CSR supervisors for crisis notification. SORN #09-25-0106 CSR staff
directory contains working addresses for all CSR employees.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Provides information on
CSR work (forms, publications, policies) to CSR and NIH staff. The system shares contact
information (home phone #, email address, cell phone #) with CSR supervisors for use for crisis
notificiation. The mandatory information will be cell phone, home address, home phone, and
personal email address. Voluntary information will be out of area contact information, i.e.:
contact name, address, phone, and email address.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A message is displayed to the employees explaining the
purpose and protections in place to safeguard information. There is no consent process since this
information is mandatory and critical to continue the CSR mission in case of emergency.
Also, CSR users make changes to their personal information by themselves thus eliminating
errors and misrepresentation of their personal information such as phone and email address in
CSR staff directory.
NIH maintains NED directory with CSR users PII information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Photos of staff are limited to the NIHnet
users. IIF in the form of home phone numbers will be restricted to a SSL enabled website and
require user authentication with NIH login and password.
Administrative
To log on the Intranet requires an active directory account, which is created and maintained by
the central NIH account authority. The initial employee record is entered by the supervisor as
part of a desktop support request. Once the employee is settled, he/she enters additional
emergency contact information, i.e. home address, cell phone or home phone number. This
information is mandatory in case of emergency, so that CSR can contact employees. Prior to the
employee departure/separation date, the employee is required to complete form on CSR Intranet
and return NIH badge and CSR property items. The automated record is removed from the
system in 30 calendar days after the departure date. All database backups no longer have the
information about former employee after 60 calendar days.
Technical
The employee entry form is located on the CSR Intranet. The server where CSR database resides
is hosted and maintained by the CIT hosting branch. It is physically located in Building 12. The
building has the technical infrastructure to ensure protection of the server from physical and
online attacks via ADP room access controls and WAN and LAN intrusion protection. The
software program allows the following access to employee records:
Role: Director, CSR, Emergency Coordinator, Division Directors (6) - Records Access: All
Role: Branch and IRG Chiefs - Records Access: Employees Supervisor
Role: All Employees - Records Access: Supervisor
This access is maintained through NIH active directory. The system administrator's password is
changed every year. Due to operational necessities, an exception to policy was granted for a year
long password. The CIT hosting branch provides the operating and database systems patch in
accordance with policy set by CERT and the manufacturer.
Physical
Building 12 has access controls procedures in place to prevent unauthorized access to CSR
Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or
access servers. All supervisors have the ability to save and/or print a hardcopy of the employee
directory. The supervisor is required to keep this information in a locked file cabinet at all times.
In addition, the list is stored on the local drive of the supervisor. All hard drives are encrypted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Directors Dashboard
(DD)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Directors Dashboard
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Doug Sur
10. Provide an overview of the system: The Directors Dashboard is a web based application
located on Sharepoint 2010 that contains canned reports & data elements for review by senior
management of CSR. The function of the Directors Dashboard is to provide a way to quickly
identify and monitor organizational factors to insure that SRO's (Scientific Review Officers) are
performing at a level that will allow CSR to achieve its desired business objectives.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The information
disseminated in the Directors Dashboard includes; Division, IRG (Integrated Review Group),
SRO, Meeting name, number of applications, number of Reviewers, percent of applications
assigned, Deadline date, percent of scores submitted, percent of critiques submitted, percent of
Summary Statements for new investigators and percent of Summary Statements for others.
(2) The Directors Dashboard is to provide a way to quickly identify and monitor organizational
factors to insure that SRO's are performing at a level that will allow CSR to achieve its desired
business objectives.
(3) The information contained in the Directors Dashboard does not contain PII.
(4) Not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) The system does not contain PII and therefore does
not notify and obtain consent from individuals
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable, as the system does not store
PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Early Career
Reviewer database (ECR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Early Career Reviewers Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Doug Sur
10. Provide an overview of the system: This database provides a pool of potential reviewers
for study sections. The data is pulled from IMPAC II (Information for Management, Planning,
Analysis and Coordination). IMPAC II is the grants management database used by NIH
(National Insititutes of Health). The data is entered manually and the database has querry and
reporting functionality. When a potential reviewer is identified the system allows for an email to
be sent to the reviewer requesting their paticipation in a meeting. When a reviewer responds to a
web form the database can be automatically updated with the response.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1). The data collected are:
Name, Email, Institution, Professional Title, expertise keywords. The system also maintains data
collected from IMPAC II: commons Identification number and profile Identification number.
(2). The system shares PII, with internal staff for the purpose of generating participants for
review meetings.
(3). Yes
(4). The personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1). Individuals voluntarily provide consent of use of
PII (even during major system changes) when they provide data on a web form. Individuals
provide notice of consent electronically (web form).
(2). All individuals are notified orally via a phone call as to the purpose and intent of the
database, as well as, obtaining consent. In addition, all individuals are provided a letter
notifying them of why the data is being collected and the purpose of the data collection.
(3). The information is shared internal for purpose of obtaining participants for study section
meetings via queries from the system database.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical Control: User ID and passwords
have to be used for network authentication.
Administrative Control: Role-based access. Training materials are being developed.
Physical Controls: Security guards, ID badges, Cipher locks and close circuit TV at the data
center.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Financial Operating
System (FOS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036 Extramural Awards and Chartered Advisory
Committees (IMPAC 2), Contract Information (DCIS) and Cooperative Agreement Information,
HHS/NIH
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Financial Operating System
(FOS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: Due to the large volume of CSR peer review meetings,
CSR decided to automate the process of transferring meeting rosters to WTS for the purpose of
travel reservations. In the past CSR staff use to fax the meeting rosters to World Travel Services
(WTS) . As reviewers called WTS to make there travel reservations WTS uses the roster to
confirm that the individuals making their reservations using the CSR meeting codes are inclulded
on each meeting roster. Financial Operating System (FOS) is a government-to-government
contractor application which enhances the timeliness, accuracy and completeness of labor and
travel expense data by automating the transmission of data to-from IMPAC II and WTS (World
Travel Services) system. FOS is a conduit to transfer information between systems and is not
accessed by users and information is not retrieved by PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
FOS is a conduit between IMPAC II and WTS (World Travel Services) purpose of FOS is not to
display data, it is only to transmit data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. FOS transmits the
following data; Study Section Meeting Name, Meeting Date, Reviewer Name, Title and work
address, Scientific Review Officer name, government phone, and government email, Meeting
location. This information is publicly available on the study section roster as available on the
CSR website.
2. FOS transmits to WTS to confirm that individuals making reservations using the CSR meeting
codes are included on each meeting roster.
3. The only PII is reviewer's name. This is not a Federal employee.
4. Yes, when the reviewer agrees to be on a study section panel they provide their information
voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is voluntarily provided by reviewers for
input into the IMPAC II system. IMPAC II is the system that FOS derives all information from.
Notification and consent is not applicable to FOS since FOS is a conduit with no user interface.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII is secured through Technical
Controls: user IDs and passwords are used for network authentication. SSL is used to secure
downloaded data. Physical controls: security guards, identification badges, and key cards are
used to gain access to Building 12, where the system is located. The required password strength
for CSR and NIH users is implemented by NIH through logical access controls that provide
protection from unauthorized access, alteration, loss, disclosure, and availability of information
in accordance with HHS' Information Security Program. Administrative Controls: limited direct
access to FOS to IMB team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac (301-435-0657)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Grant Redundant
Application Search Program (GRASP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Grant Redundant Application Search
Program (GRASP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The system has the following operational
functionality:
- Compare new grant application submissions to a database of previous applicatioin submissions
(and potentially other sources).
(1) use of original material from others
(2) submission of multiple applications
(3) renamed applications
(4) already completed work
- Displays output summarizing findings
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system discloses PII only internally and not with other systems or externally for the purpose
of receipt and referral of applications.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Data provided will be
text parseable documents, specifically grant applications in one or more 'pdf' files and other files
that communicate other grant application information as extracted from the IMPAC II system
(eCommons name, PI name, etc).
.) Only text will be uploaded to GRASP system; that text will be readily parseable, and not
image format requiring optical character recognition.
(2) CSR shall use the information provided in order to minimize the resources and time used in
identifying inequality amongst grant applicants. These inequalities include the duplicative and
overlapping use of original material from others, the submission of multiple applications,
renamed applications, and requesting funding for already completed work.
(3) Yes, this system does contain PII.
(4) Voluntary. The PII information is collected from the existing IMPACII system where
applicants submit grant applications for review.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) As GRASP will utilize historical data from IMPACII ,
no processes are in place to obtain consent from individuals whom submitted applications.
IMPAC II Systems of Record Notice is in place.
The GRASP system shall collect historical application data to be part of the comparison effort
and transferred to the data warehouse (dbGRASP) in the GRASP system. This data will be
parsed, formatted and indexed for use by the GRASP system. The source for all comparison
work will be historical information from IMPAC II. Periodically, a data extract representing
new entries to IMPAC will be created and transferred to the GRASP data warehouse.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative Controls: role-based access;
appropriate system security plan, contingency plan, file back-up, training of users, and retention
and destruction policies are in place.
Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR
systems.
Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Assisted
Meeting (IAM)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3222-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Internet Assisted Meeting (IAM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: A strategic objective of the Center for Scientific
Review is to enrich methods for review of grant applications. This new method, based upon the
use of a threaded message board with features tailored to NIH review, permits the asynchronous
discussion and private scoring of grant applications without the need for concurrent assembly or
teleconference. As an alternative review format, it complements and extends the ways that CSR
conducts peer-review at NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares or discloses email address, name and IMPAC II identifiers (Commons ID
name, and NIH login name) with reviewers, NIH program officers, and CSR SRO's for the
purposes of peer review.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information type: Grant
related information is used during the discussion of grant applications in an online collaborative
space in lieu of a physcial meeting. The reviewers score applications on a scientific merit basis.
The submission is mandatory and does contain IIF (Information Identifiable Form which is name
and email using SSL.).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system does not gather any information from the
public and it is not a publicly accessible system. The system only uses downloaded data in read
format from IMPAC II.
The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner
that identifies the individual except for the applicants themselves and except as permitted by the
Privacy Act.
IAM does not change any information and does not have any consent procedures for this. There
might be minor changes in IMPACII of some information such as grant application identifiers.
Applicants can also access their personal information through NIH Commons with their personal
passwords and logon names. Significant changes to grant application information that IAM
downloads from IMPACII are achieved by voluntary resubmission of grant application by
applicants and there are no consent procedures in place for CSR staff. Applicants are informed
of major changes in internal use of their data via publication in the NIH Guidelines published on
the CSR Internet.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII is secured through Technical
controls: User ID and passwords have to be used for network authentication. SSL is used to
secure downloaded data. Administrative controls: IAM training is available for CSR users and
reviewers. Training materials are updated and IAM system is backed up on a regular basis.
Physical controls: 1 System located in 2 locations: Building 12: Security guards, identification
badges, and key cards are used to gain access. CSR Data Center Sterling: security guards,
identification badges, key cards, cipher locks biometrics (fingerprint scan) and close circuit tv.
The required password strength for CSR and NIH users is implemented by NIH through logical
access controls that provide protection from unauthorized access, alteration, loss, disclosure, and
availability of information in accordance with HHS' Information Security Program. The required
password strength for external users is enforced through account lockout controls with limiting
number of consecutive failed log-on attempts; sign-on warning banner at IAM access point;
automatically timed out session; deletion of external user information with automatic deletion of
whole IAM web site 2 hrs after the meeting is completed.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): CSR-3
7. System Name (Align with system Item name): CSR Internet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bhattacharyya, Dipak
10. Provide an overview of the system: Provide resources for applicants, news and reports,
information about CSR and peer review meetings to the general public. Authorized by Section
301 of the PHS Act.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
General public, applicants and reviewers can get access to CSR staff directory and study sections
rosters. CSR Internet application has been created for the purpose of providing information to
NIH and scientific community on the world wide web.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. CSR internet maintains
and disseminates name and photographic identifiers.
2. To clearly identify the person within the organizational structure.
3. The only PII maintained within the system is the persons name and photgraphic identifiers.
4. The user does not submit information to CSR.
.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Data in staff directory and rosters do not change
without users' consent, and approval. Users submit their information for posting to CSR web
developers mostly in electronic form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Covered by CSR Security Plan
Authorized by Section 301 of the PHS Act.
CSR Web site is designed as a public service to provide information to general audience. Every
page on CSR web site is accessible to general public including people with disabilities.
Technical controls are provided by NIH. The application data are backed up daily.
CSR Web site is updated regularly.
hysical controls: Security guards, identification badges, and key cards are used to gain access to
building 12, where the system is located.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR LAN [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A - GSS PIA included for C&A purposes only
5. OMB Information Collection Approval Number: N/A -GSS PIA included for C&A
purposes only
6. Other Identifying Number(s): N/A -GSS PIA included for C&A purposes only
7. System Name (Align with system Item name): NIH CSR Local Area Network (CSR LAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Prema Nair
10. Provide an overview of the system: CSR LAN GSS is the front end parent reportable
system that passes NIH common controls to CSR internet, CSR telework program, GRASP,
eCD, NIH College of CSR Reviewers, and Real Time Meeting Status Tool. In addition, it will
also pass NIH common controls to CSR intranet parent reportable systems.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A - GSS PIA included for C&A purposes only
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: N/A - GSS PIA included for
C&A purposes only
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - GSS PIA included for C&A purposes only
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A - GSS PIA included for C&A purposes
only
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Member Application
Notifcation (MAN)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Member Application Notification (MAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The MAN system provides daily notifications of initial
application assignment to a given Integrated Review Group (IRG) Chief (or their designee) if at
least one application has received its initial review assignment to their IRG (or directly to a SRG
or SEP within their IRG) or their SRC99 (in the case of ICs) and meets the specified business
rules.
- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by
only appointed chartered study section members (not temporary or ad hoc) to as recorded in
IMPAC II.
- Exclude applications for which appointed members have a role other than PD/PI, including
appointed members serving as sponsors for fellowship applications or mentros for career award
applications.
- Applications with multiple PI/PDs should be identified if one or more are eligible based on
their status as a study section member (It's not necessary for all of the PI/PD's of a given
application to be members)
- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS
per CSR R&R guidance
- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their
designees) and each of the ICs (Review Chief and their designees)
- The application accession number, appid, application title, application assignment information,
and the list of PI/PDs should be included in the notification to the IRGs or ICs.
- Application title in the IRG Chief's report
- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and
capture designation in the database
- Allow IRG Chiefs to look at applications from all other IRGs received within the last two
months and indicate which they can review by entering status into database.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The MAN system provides daily notifications of initial application assignment to a given
Integrated Review Group (IRG) Chief (or their designee) if at least one application has received
its initial review assignment to their IRG (or directly to a SRG or SEP within their IRG) or their
SRC99 (in the case of ICs) and meets the specified business rules.
- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by
only appointed chartered study section members (not temporary or ad hoc) to as recorded in
IMPAC II.
- Exclude applications for which appointed members have a role other than PD/PI, including
appointed members serving as sponsors for fellowship applications or mentros for career award
applications.
- Applications with multiple PI/PDs should be identified if one or more are eligible based on
their status as a study section member (It's not necessary for all of the PI/PD's of a given
application to be members)
- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS
per CSR R&R guidance
- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their
designees) and each of the ICs (Review Chief and their designees)
- The application accession number, appid, application title, application assignment information,
and the list of PI/PDs should be included in the notification to the IRGs or ICs.
- Application title in the IRG Chief's report
- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and
capture designation in the database
- Allow IRG Chiefs to look at applications from all other IRGs received within the last two
months and indicate which they can review by entering status into database.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The combined monthly
report and the email generated have the fields specified:
a. IC
b. MEMBER IRG
c. CMTE
d. MEM PI NAME
e. MEMBER START DATE
f. MEMBER END DATE
g. GRANT NUM
h. ACCESSION NUM
i. APPL CLUSTER IRG
j. STUDY SECTION FULL
k. RFA PA NUMBER
l. COUNCIL DATE
m. APPLICATION RECEIVED DATE
IMPAC II is the source of all application data.
(2) The MAN System ensures that Integrated Review Groups (IRGs) Chiefs and IC Review
Chiefs/contacts are aware of the assignment of applications submitted by chartered members of
the standing study sections to Integrated Review Groups (IRGs) and Study Sections.
(3) Yes
(4) Voluntary. All information is provided via the IMPAC II system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All data contained within this system is pulled from
IMPAC II. The system does not gather any information directly from the public. It is not
publically accessible and the information is not disclosed to anyone outside of CSR. Individuals
have the opportunity to view the Privacy Statement from the IMPAC II website.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative Controls: role-based access;
appropriate system security plan, contingency plan, file back-up, training of users, and retention
and destruction policies are in place.
Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR
systems.
Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR National Registry of
Volunteer Reviewers
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NA
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH CSR National Registry of Volunteer
Reviewers
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nair Prema, Diane Stassi,
Weijia Ni
10. Provide an overview of the system: The CSR National Registry of Volunteer Reviewers is
an Access-based database that contains information provided by volunteer scientists who are
interested in serving on CSR grant review panels. Information provided includes: Name,
Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords,
Study Section or IRG, Recent funding sources, Referring Society, QVR Person ID, NIH review
and grant history, Geographical Region, Date Registered, SRO Contact Records (check boxes for
“Contacted” and “Served” as well as date and SRO name), and an SRO Reviewer Evaluation
field (check boxes 1-5 – for scientific expertise and review performance). The database is
available to everyone in CSR who has access to the CSR share drive. The database is searchable
by Keyword, IRG, and Region.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is disclosed to anyone in CSR with access to the Share Drive, including, Scientific
Review Officers, IRG Chiefs, Division Directors, personnel in the Director’s Office. The
information will be used to 1) identify highly qualified reviewers who are willing to serve on
study sections and 2) report back to the referring societies on how many of their recommended
reviewers have served on panels.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
for the CSR National Registry of Volunteer Reviewers contains IIF. The following information
is voluntarily provided by scientists who are interested in serving on CSR grant review panels:
Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of
Expertise/Keywords, Study Section or IRG, Recent funding sources, and Referring Society. In
addition to this information, the developers of the database add the volunteer’s QVR Person ID
and NIH Review history (if they are in the system), Geographical Region, Date Registered, and
Reviewer Evaluation (check boxes 1-5 – for scientific expertise and review performance).
Individuals using the database (primarily Scientific Review Officers) may add Contact Records
(check boxes for “Contacted” and “Served”, date and SRO name) as well as reviewer evaluation.
The information will be used to identify highly qualified reviewers to serve on study section
panels and to provide feedback to societies on whether their members are serving on panels.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No major changes are expected to occur to the
database. If any changes are made, we will notify all individuals via email. We will be
collecting the following IIF: Name, Mailing Address, Phone Numbers, Device Identifiers, Web
Uniform Resource Locator(s) (URL), Email Address, and QVR Identifier. Individuals will be
notified via email describing the IIF obtained and that we will use this information to identify
highly qualified reviewers who are willing to serve on study sections. This information is stored
in a database that is available to CSR employees, and specifically created for Scientific Review
Officer use. The email notification will also give the individual the option of rescinding their
information, at which point the system developers will destroy (permanently delete) the IIF
provided.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls. To run the
database, SROs download it to their C-Drives from Share drive. Access to the CSR Share drive
is limited. Personnel with access to the database have been trained and are aware of their
responsibilities for protecting IIF.
Physical controls. Rockledge 2 is secured by guards, employee identification badges and
keycards.
Technical controls: All CSR laptop computers are encrypted. User identification, passwords,
firewall, VPN are currently in place. Security patches for servers and laptops are always kept
current.
The NIH incident response team will notify the CSR ISSO of any security incidents detected.
Users will notify the CSR ISSO and NIH Helpdesk of any security incidents.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Out of Town
Calendar
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A - no PII
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Out of Town Calendar
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Dipak Bhattacharyya
10. Provide an overview of the system: Out of town meeting calendar provides calendaring
functionality allowing Scientific Review Officers and associated CSR staff, to verify peer review
meeting dates and locations that take place across the United States. The calendar enables
filtering and data input abilities that minimize extraneous processess currently being used;
Scientific Review Officers will be able to select the location and time where they would like to
schedule a meeting.
This calendar has the following features:
1) Coordinate out-of-town and local meetings across all institutional review groups
2) help DEAS provide coverage for out-of-town and local meetings
3) Create meeting reports for Chiefs and the Office of the Director
4) Provide a repository for meeting information such as hotel name, date & time of meeting.
5) Provide centralized access to Google Maps and hotel survey data
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Meeting date, location,
Scientific Reviewer Officer name, Council round, meeting staff name (CSR staff).
(2) To coordinate scheduling activities for CSR staff.
(3) The information does not contain PII.
(4) CSR staff enters data, such as (see number 1 above). The only personal information is the
names of the CSR staff involved in the meeting which is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system does not gather any information from the
public and it is not a publicly accessible system. The system uses downloaded data in read
format from IMPAC II as well as data entered by the user (Federal employee).
The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner
that identifies the individual except for the applicants themselves and except as permitted by the
privacy act.
We do not notify any individuals regarding PII, because there is no PII contained in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not contain any PII.
However the systems has the following controls.
Administrative controls: Training as needed. The system is backed up on a regular basis.
Technical controls: User ID and password have to be used for network authentication.
Physical controls: Security guards, ID badges, and Key cards are used to gain access to bldg. 12
where it is housed.
The required password strength for CSR and NIH users is implemented by NIH through local
access controls that provide protection from unathorized access, alteration, loss, disclosure, and
availability of information in accordance with HHS information security program.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Performance
Management Appraisal Program (PMAP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Performance Management Appraisal
Program (PMAP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The PMAP review system provides an automated
process for specific members of Office of the Director (OD) and Managers to review the written
performance summaries of two categories of CSR staff. This process streamlines the previously
manual process and provides for more effective time management and evaluation techniques.
The scope of the PMAP review system automates the previous process for performance reviews
for ease of use. The following product features:
• PMAPs grouped by Division, IRG and/or Branch – in a table-like structure
• Display the names of all CSR staff within selected group/IRG/branch
• Ability to individually select performance summary, out of staff listing
• Allow display of performance summary and assigned score, for the PMAP being
reviewed
• Ability to change the assigned score, if desired
• Ability to update changes to the PMAP and create a permanent record
• Store the performance summaries
• Display the current number out of total for specified group (3 out of 10)
• Ability to move to next performance summary within same group
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The PMAP system
maintains information including employee name, work phone, work email, performance rating,
and salary. (2) PMAP is a required HHS annual process to rate the performance of employees.
This system streamlines the process electronically. (3) Yes. (4) Mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) No major changes anticipated. (2) The PMAP
process is a required HHS process of which employees are notified when they are hired. (3)
Information will be used by supervisors and the administrators to rate the performance of
employees.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative
To log on the Intranet requires an active directory account, which is created and maintained by
the central NIH account authority. This system is hosted by the CSR intranet and will have role-
based access for supervisors, administrators and the technical team.
Technical
The employee entry form is located on the CSR Intranet. The server where CSR database resides
is hosted and maintained by the CSR Sterling, VA data center. It is physically located in Sterling
VA. The building has the technical infrastructure to ensure protection of the server from physical
and online attacks via ADP room access controls and WAN and LAN intrusion protection.
This access is maintained through NIH active directory. The system administrator's password is
changed 60 days. CSR provides the operating and database systems patch in accordance with
policy set by CERT.
Physical
Building 12 has access controls procedures in place to prevent unauthorized access to CSR
Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or
access servers. All hard drives are encrypted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Qualifying
Therapeutic Discovery Program
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Qualifying Therapeutic Discovery
Program (QTDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya; George
Chacko
10. Provide an overview of the system: The Qualifying Therapeutic Discovery Project (QTDP)
program is provided under new section 48D of the Internal Revenue Code (IRC), enacted as part
of the Patient Protection and Affordable Care Act of 2010 (P.L. 111-148).
Under the program, eligible taxpayers may apply for certification from the Internal Revenue
Service (IRS) of a qualified investment with respect to a qualifying therapeutic discovery project
as eligible for a credit, or for certain taxpayers, a grant from the Department of the Treasury.
The IRS will certify an eligible taxpayer’s qualified investment only if:
(1) HHS determines that the taxpayer’s project is a qualifying therapeutic discovery project (as
defined in section 4.02 of IRS Notice 2010-45). Specifically, HHS will determine whether an
applicant's project meets the definition of a “qualifying therapeutic discovery project”, which
means projects designed to:
treat or prevent diseases or conditions by conducting pre-clinical activities, clinical trials and
clinical studies or carrying out research protocols, for the purpose of securing Food and Drug
Administration approval of a product,
diagnose diseases or conditions or to determine molecular factors related to diseases or
conditions by developing molecular diagnostics to guide therapeutic decisions, or
develop a product, process or technology to further the delivery or administration of therapeutics.
(2) HHS determines that the taxpayer’s project shows reasonable potential (a) to
result in new therapies (i) to treat areas of unmet medical need, or (ii) to prevent, detect,
or treat chronic or acute diseases and conditions, (b) to reduce long-term health care
costs in the United States, or (c) to significantly advance the goal of curing cancer within
the 30-year period beginning on May 21, 2010; and
(3) The IRS determines that the taxpayer’s project is among those projects that have the greatest
potential (a) to create and sustain (directly or indirectly) high quality, high-paying jobs in the
United States, and (b) to advance United States competitiveness in the fields of life, biological,
and medical sciences.
To apply, companies must use:
· Form 8942, Application for Certification of Qualified Investments Eligible for Credits and
Grants Under the Qualifying Therapeutic Discovery Project Program (Catalog Number 37748D).
· Applicants must also include a Project Information Memorandum (PIM), as instructed in IRS
Notice 2010-45.
Applications may be submitted beginning June 21 and must be submitted no later than July 21,
2010. IRS will send to NIH the PIM. The IRS will issue certifications by October 29, 2010.
HHS/NIH’s role: The statute requires the Secretary of the Department of the Treasury to consult
with the Secretary of the Department of Health and Human Services (HHS) in conducting this
program as described above in (1) and (2).
NIH’s Role in Review of the PIM:
Applications will initially be reviewed by HHS/NIH to determine whether or not they meet the
definition of "qualifying therapeutic discovery project" (see questions 1-4 in the Project
Information Memorandum), and whether they show a reasonable potential to meet the statutory
goals (see questions 5-8 and 9-11 in the Project Information Memorandum). The reviews will be
accomplished by reviewers coordinated by the National Institutes of Health. All applications that
are considered, based on that review, to cover qualifying therapeutic discovery projects that
show a reasonable potential under § 48D(d)(3)(A) will be considered by the IRS as it makes its
determination whether the requirements under § 48D(d)(3)(B) are satisfied.
Review Procedure:
·IRS sends by courier only the PIM sections of the application for NIH review.
·Each application is initially assigned for evaluation to one reviewer.
·The reviewer evaluates the contents of the application (PIM) and recommends scores.
[Predecisional]
·In cases of s
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) IRS sends by courier
only the PIM sections of the application for NIH review. The PIM section includes Corporate
Tax ID, Corporate Address, Principal Investigator Name, Location, Contact Information (federal
employee information)
·Each application is initially assigned for evaluation to one reviewer.
·The reviewer evaluates the contents of the application (PIM) and recommends scores.
[Predecisional]
·In cases of scores below the cutoff value that would be recommended for funding, a second
reviewer is assigned to ensure that applications that meet the definition of a qualifying
therapeutic discovery project and show reasonable potential based on the statutory goals of the
program (as defined in IRS Notice 2010-45) are not being eliminated.
·All results are reviewed and approved by a second level panel, which examines these
suggestions and approves, rejects, or modifies them. [Decisional]
·In the interest of protecting reviewer confidentiality, predecisional details (specifically, the
identity of the reviewer assigned to individual applications) are destroyed 15 days after the
review. An aggregate list of all reviewers involved in the project is published. A similar
procedure is followed in NIH grant review.
(2) These results are reviewed by HHS and transmitted to IRS in the form of a list of applications
for IRS to consider for certification.
(3) Taxpayer ID # of submitting organization, name of organization, name of contact person for
the organization - are included/maintained as part of the application.
(4) Voluntary - submitting grant applications to IRS of their own accord.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1). The system contains information provided by the
internal revenue service. We do not obtain any information from the public.
(2). We are not collecting any PII from individuals the information that will be provided to us
will be obtianed from the internal revenue service. The IRS will provide the name of contact
person for each Applicant organization, taxpayer identification number, and a unique identifier.
(3). The information in each record will be evaluated for it's scientific potential. The data within
the system will be looked at by scientific reviewers, project implementation team and returned to
the IRS in about three months from now.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII is secured through Technical
controls: User ID and passwords have to be used for network authentication.
Physical controls: Security guards, ID badges, and Key Cards are used to gain access to Sterling
where the system will be housed.
The required password strength for CSR and NIH users is implemented by NIH through logical
access controls that provide protection from unauthorized access, alteration, loss, disclosure, and
availability of information in accordance with HHS information Security Program.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR privacy coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR Real Time Meeting
Status Tool
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH-CSR Real Time Meeting Status Tool
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The RTMS is an electronic tool which program
officers willl have real time access to the progress of the discussions of the applications in
different review meetings. Updated information on review meeting progress allows program
officers to plan their attendance to different meetings accordingly. This process allows for better
time management to program officers and increase the transparency of our review meetings.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system displays the Principal investigator's (PI) name for the purpose of viewing the
associated PI's name for each grant under review. This PI name is static data for display
purposes only and understanding the disscussion order of grant applications during the review
meeting.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) RTMS pulls the
following information from Internet Assisted Review (IAR); a subsystem of IMPACII: Grant
application number, Application number, NIH Program Officers (NIH employees), Meeting
agenda number, Application discussion order number, Application review order number,
Meeting start date, Meeting end date, Meeting name.
(2) To allow program officers to better regulate their time during the review of their IC
respective applications.
(3) The system contains the name of the Principal Investigator. This person can be a non Federal
employee.
(4) Data is not entered by the user. The system displays data from IAR.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1). The RTMS does not notify individuals whose PII
is in the system of any changes occurring to the system.
(2) The RTMS does not obtain consent from individuals regarding PII. The information is
displayed in a static fashion from a feed to IAR, a subsystem of IMPAC II.
(3). The system does not gather any information from the public and it is not a publicly
accessible system. The system only uses downloaded data in read format from IAR. The
information stored in the system is not disclose to anyone outside of HHS/NIH in a manner that
identifies the individual except for the applicants and except as permitted by the privacy act.
The sole purpose of this data display is to assist the program officer (PO) in viewing the status of
the respective applications during meeting discussions. For example, they will see if it is: in
progress or complete.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical controls: user id and passwords
has to be used for network authentication. SSL is used to secure downloaded data.
Administrative Controls: Role-based access.
Physical controls: security guards, ID badges and Key Cards are used to gain access to Bldg 12
where the system in located.
Training materials are updated and system is backed up on a regualar basis.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR SOFie ( Status of
Funds)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nair Prema, Debbie Elliott
10. Provide an overview of the system: The SOFie application supports the efforts of several
offices and branches within the IC, allowing budget offices to track expenditures in appropriate
funds in a fiscal year. The program contains a tracking mechanism to track prior year funds as
well. The application downloads this information from the NIH Data Warehouse weekly.
Information entered into the SOFie database is not uploaded into the NIH Data Warehouse
database. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting data and related
document information is downloaded from CAS/Central Accounting System mainframe and is
specific to CSR for its fiscal year operations. The information is general acounting info by
category (ex. wages), with totals by category, and nothing specific to individual employees. The
system contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized user access to information is
limited to authorized personnel for performance of their duties. Authorized personnel include
NIH employees, system managers and computer personnel. Physical safeguards are in place at
CSR. and the contractor facilities. Access codes are deleted when employees leave CSR. New
employees have obligatory training and NIH/CSR security department is notified of all staff
members and contractors authorized to be in secured areas during working and nonworking
hours. The list is revised at NIH and requires the completion of a computer-based training
(CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This
CBT provides an overview of basic IT security practices and the awareness that knowing or
willful disclosure of the sensitive information processed in the system can result in criminal
penalties associated with the Privacy Act, Computer Security Act, and other federal laws that
apply.
All data transmitted between the server (currently at contractor location) and workstations at
CSR are encrypted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH CSR SREA Financial
Tracking System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0024
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CSR SREA Financial Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Renee Harris, Dipak
Bhattacharyya, Thao Tran, and Prema Nair
10. Provide an overview of the system: The SREA Office’s main functions is to support the
CSR Peer Review by the 1) procurement of hotel meeting rooms, sleeping rooms, reviewer
airfare, AV and 2) Payment to Non-Federal Reviewers who provide expertise in reviewing grants
applications.
We expect that by having a SREA Financial Tracking system we will be better equipped to serve
NIH/CSR as a whole. Specifically, it is proposed a web-based system will enable SREA to better
monitor and track Peer Review expenditures in an electronic format which can be queried to do
historical data analyses on a regular basis. We will also be able to allow secured access to SREA
Data at multiple levels: administrative, user, and read-only. In addition, we will be in compliance
with the NIH COOP and NIH Vital Records initiatives by electronically housing procurement
documents attached to a corresponding ticket.
SREA is implementing a pilot for other NIH Instiitute/Center personnel to access an IC specific
report on the SREA Financial Tracking System via a web link.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The SREA Financial
Tracking Database utitlizes PII - in the form of the Scientific Review Officer (SRO) name - from
IMPAC-II. This information is used to create a dropdown menu with the SRO names listed in
the SREA database. SRO names are used to identify review meetings. In the event a reviewer
declines payment of honorarium, their name is manually entered into the SREA database by
users to document payment refusals. SRO name is mandatory. Reviewer name is voluntary.
Vendor information (hotels): contact name, phone number, email, DUNS, and Tax ID Number.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) We do not anticipate any major changes to the system.
In the event of a major change involving PII, a process will be put in place. Individuals are
notified via email regarding the PII in the system and how it is used.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access controls are in place for servers
along with FDCC guidelines.
NIST and FISMA rules and regulations are applied to servers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH FIC Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH FIC Status of Funds Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Danielle Bielenstein
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to
access financial data and download the data from nVision (the NIH Central Accounting System)
into spreadsheets in order to perform budget analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: FIC accounting transactions
and data are downloaded from nVision (the NIH Central Accounting System). The data is used
to plan, track, and report on expenditures, enabling the FIC budget office to comply with
appropriation laws and regulations. The data contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - no PII in system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A - no PII in system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Marcia Smith
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCAT Employee Database
Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCATS Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita Brooks
10. Provide an overview of the system: EDie is a web-based application that allows Institutes
to accurately maintain individual employee, contractor, fellow, guest, and volunteer information,
as well as plan for, monitor, and report on workforce staffing levels. To minimize duplicate data
entry, the standard business systems from which EDie currently downloads are the NIH Human
Resources Database (HRDB), the Fellowship Payment System (FPS), the NIH Enterprise
Directory (NED), and FSA Atlas. HRDB is EDie’s source for information about general hire
employees, including General Schedule, General Wage, Commissioned Officers, and others.
The official data that is stored in HRDB, including payroll information, is available for each
employee and can be viewed by those users with corresponding access privileges. FPS is the
source for information about visiting fellows, including their stipend and sponsorship
information. NED is the source for information about contractors and other special volunteers.
Because these are not direct hire employees, there is no payroll or FTE information available for
these employees. EDie also pulls in locator information from NED for every employee that is
stored in EDie and who has a corresponding NED ID. FSA Atlas is the source for Visa
information. EDie provides an efficient and effective way to manage and report on the
workforce of the Institute/Center (IC). It provides the ability to track and report on planning
records. It allows users to update staff information for future actions while also having the
ability to view the official source information, staffing summary and trend information.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
Information collected constitutes PII such as name, date of birth, social security number,
personal mailing address, personal phone numbers, personal email address, education records
and employment status. It is mandatory for employees to submit personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located on a server in a secure server room behind
the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCATS Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Construction
Grants Management System (CGMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS Construction Grants Management
System (CGMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: The system is used to track C06 Construction grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CGMS only contains Grant
data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and
Information; Grants Planning and Resource Allocation - Budget Formulation Information;
Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCATS ISSO & Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Electronic Funds
Management System (eFMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS Electronic Funds Management
System (eFMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: The eFMS is a web-enabled fiscal planning tool of the
current fiscal year for the Office of Financial Management (OFM) and NCRR managers. Both
dynamic data from IMPAC II and local non-enterprise data are available. Grant data are
displayed in a variety of formats, including web pages, web summary tables, Excel spreadsheets
and formal reports. This system provides the Budget Officer with a means to ensure appropriate
fiscal control, monitor obligations to verify compliance, and provide accurate, current
information to NCRR management for the NCRR extramural portfolio.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: eFMS only contains Grant
data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and
Information; Grants Planning and Resource Allocation - Budget Formulation Information;
Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy ( NCATS ISSOPrivacy Coordinator)
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Grants Workflow
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Grants Workflow Information System
(GWIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gregory Farber, Ph.D.
10. Provide an overview of the system: GWIS provides web-based and Microsoft Outlook
integration to help authorized NCATS personnel automate and improve the grant management
processes/workflows.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: GWIS is an internal grants
workflow solution. Information is obtained from the IMPAC II and eFMS (NCATS Electronic
Funds Management System). This information is for internal use only, and only the minimal
necessary data is collected to support the NCATS internal grants workflow process. GWIS is
integrated with Microsoft Outlook for authorized NCATS users. Workflows have been
identified and are being developed to process Unsolicited Administrative Supplements, Carry-
Over Requests, Funding Opportunity Announcements (FOAs)/ Program Announcements,
Annual Progress Report Approvals, National Advisory Council Processes, New and Competing
Continuation Awards, and Competitive Administrative Supplements.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Internet
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 3/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: NCATS Public Website used to disseminate
information about NCRR resources and grant programs to biomedical researchers with NIH or
other peer-reviewed funding via the world wide web.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NCATS website will
disseminate information on NCATS initiatives and activities of relevence to the research
community. Shares only employee office contact information: name, title, position description,
office location and phone numbers to expedite communication with the public. This information
is not considered IIF because it is publically available and in the context of how it is presented
cannot cause harm to the individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No Information in Indentiafiable Form. NCATS
employees are notified that their office contact information is made publically available in the
course of their duties.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NA
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Intranet
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Yuliya Shifrin
10. Provide an overview of the system: To disseminate relevant information and useful
dynamic applications to Center employees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NCRR Intranet is used
internally to disseminate useful information to authorized NCRR employees and contractors.
Shares employee information: name, title, position description, office location and phone
numbers (internally only) to increase organizational communication and efficiency. This
information is not considered IIF because it is publically available and in the context of how it is
presented cannot cause harm to the individual. This information is "opt out" for each employee.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCATS ISSO &Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS NCRR General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4802-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCATS ISSO & Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Science
Information System (SIS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4802-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): National Center for Advancing Translational
Sciences
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: R. Jean Babb
10. Provide an overview of the system: A database system used by NCRR staff to review
annual progress report data, code the research activites, and prepare reports highlighting
scientific accomplishments. This information is invaluable in supporting GPRA, PART, and
other materials used to inform the Administration, Congress, interested parties and the general
public. NCRR is working to integrate and strengthen clinical informatics.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NCRR and NIH budget officials for reporting to Congress. Shares information internally for
generating funding reports for NIH OD and congress. Ref: 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information is obtained from
the IMPAC II system and populates this database for internal use only. Information collected is
the minimal necessary to code and report on research projects for funding the grantees and
investigators. Mandatory for eRA submission. In addition, SIS now collects the name, email
address, phone number (and Fax) for external users needed for the Federated Login process of
registering users in the external active directory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The process in place is governed by IMPAC II, an NIH
Enterprise System maintained by eRA. SIS has no additional processes in place.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Policy and procedures are in place for
administrative management of the system. Technical control is: username and password login,
firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by
double set of locked doors and must be accessed using a key fob and pass code (cipher lock).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS SOFIE
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita Brooks
10. Provide an overview of the system: Manage expenditures and obligations. The purpose of
the system is to monitor expenditures. Program helps project the budget; allows users to know
how much money is left in the FY to spend.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All accounting transactions
are available for viewing in VSOF. The information is used to track and plan fiscal budgets. It
is necessary to have access to this data in order to comply with appropriations laws and
regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor,
Description of Expenses, and Purchase Amount.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCATS ISSO Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Visual Employee
Database System (VEDS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Visual Employee Database System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita Brooks
10. Provide an overview of the system: VEDS is a windows based application primarily used
to track personnel information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The data is shared internally for administrative use only and will not be shared with other
entities. Ref: 09-90-0018
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NETCOMM
application collects personal information from the NIH Human Resource Database (HRDB)
through bi-weekly downloads. Social security numbers, names, grades, salaries, addresses,
telephone numbers, and job titles are included in the data collected. The data collected is used to
manage the organization's personnel information. Under authority 42 USC 287c-21
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is gathered from the HRDB and NED
systems. Changes to the system or changes in the way the information is used is relayed to
employees via official notices from NCRR or the System Owners. Individuals are notified of the
collection and use of data as part of the hiring process and is mandatory if the potential job
applicant wishes to seek employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to sensitive data fields is limited to
those that need to know. Each user signs a security statement, and any violations results in loss
of access to system. Policy and procedures are in place for administrative management of the
system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit
logs. Physical access to the server room is protected by double set of locked doors and must be
accessed using a key fob and pass code (cipher lock).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy
McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
Comment [AK1]: Missing from spreadsheet.
Needs answer to 30 part 4
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Employee
Database, Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-014
7. System Name (Align with system Item name): NIH NCCAM Employee Database, Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Erica St. Michel
10. Provide an overview of the system: EDie is a web-based application that allows institutes
to accurately maintain individual employee, contractor, and volunteer information, as well as
plan for, monitor, and report on workforce staffing levels.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior administrative use only and will not be shared by
other entities. Refer to SORN 09-90-0018.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The type of information collected constitutes PII and includes the following: name, address,
phone number, social security number and date of birth, and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located in Building 31, Rm 2B11 behind the NIH
firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-001
7. System Name (Align with system Item name): NCCAM Internet Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: The NCCAM Web site (www.nccam.nih.gov) is used
to disseminate scientifically accurate information about complementary and alternative medicine
to the public and to health officials via the World Wide Web.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NCCAM Web site
(www.nccam.nih.gov) is used to disseminate scientifically accurate information about
complementary and alternative medicine to the public and to health officials via the World Wide
Web. NCCAM is not collecting personal information through the NCCAM Web site. Note:
NCCAM has submitted a separate PIA for the NCCAM Online Continuing Education Series
(please reference that PIA for more information).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored by this system is secured by
several locked and secure doors, badges are required for access to the facility and room, and user
indentification and passwords are required for system access. Files are backed up regularly and
stored off site. Personnel have been trained to store and handle information collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Intranet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-002
7. System Name (Align with system Item name): NCCAM Intranet Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: The NCCAM Intranet Web site
(intranet.nccam.nih.gov) is used to disseminate relevant information and useful dynamic
applications to employees of the National Center for Complementary and Alternative Medicine
(NCCAM). The key legislation authorizing this Web site is 42 USC 287c-21.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NCCAM Intranet Web
site (intranet.nccam.nih.gov) is used to disseminate relevant information and useful dynamic
applications to employees of the National Center for Complementary and Alternative Medicine
(NCCAM). We are not collecting personal information through the NCCAM intranet Web site.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored by this system is secured by
several locked and secure doors, badges are required for access to the facility and room, and user
identification and passwords are required for system access. Files are backed up regularly and
stored off site. Personnel have been trained to store and handle information collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM NCCAM Local
Network [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NCCAM-015
7. System Name (Align with system Item name): NIH NCCAM Local Network
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Eric Gallagher
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information. The GSS provides infrastructure support to minor
NCCAM applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable - The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS,
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable, system does not collect PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable, system does not collect PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594--5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Online
Continuing Education Series
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-010
7. System Name (Align with system Item name): NIH NCCAM Online Continuing Education
Series
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: NCCAM Online Continuing Education Series (OCES)
supports the NCCAM mission by providing free access to several educational video lectures and
continuing medical education completion documents. OCES is designed for health care
providers and the general public to view lectures on Complementary Alternative Medicine
(CAM). Health care providers may receive continuing education credits.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Cine-med Inc, the accrediting entity has access to PII through OCES. The purpose is to provide
continuing education credits to trainees.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Users may
VOLUNTARILY provide the following information:
Name, Mailing address, Email, and Education Records, which is considered PII.
The purpose of the system is to provide continuing education credits. The information is only to
be used by Cine-med Inc, an accrediting entity.
Collection of this data is authorized under authority 42 USC 287c-21
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NCCAM does not expect to have major changes to the
system.
A privacy policy is posted to inform users of the purpose of data collection and explain that data
will only be used to confirm registrant participation in the continuing education program ( in
case they request a copy of their certificate).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored by this system is secured by
several locked and secure doors, badges are required for access to the facility and room, and
user identification and passwords are required for system access. Files are backed up regularly
and stored off site. Personnel have been trained to store and handle information collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM SharePoint
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-013
7. System Name (Align with system Item name): NCCAM SharePoint
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Eric Gallagher
10. Provide an overview of the system: The system holds grant application information that is
retrieved from the IMPAC II database with additional tracking information added for the purpose
of application grant approval. The system tracks grant applications under authority 42 USC
287c-21.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
For internal purposes only; PII will not be shared OR disclosed. SOR #09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: A grant application is
submitted voluntary by the Investigator through the electronic application submission process in
Grants.gov. That information subsequently is stored in the centralized NIH eRA/IMPAC II
database - all notifications and consent procedures with subjects are handled at that level. For the
purpose of preparation and tracking of selected grants for funding at the IC/NCCAM level,
selected data are downloaded from the eRA database into SharePoint. The selected IIF data are
restricted to: Investigator Name and Degrees, Institution, Project Title, e-mail address. In
SharePoint that data is used only by NCCAM staff members who have been selected and
approved by senior level staff for the purpose of grant preparation and tracking. The data is not
shared with nor disclosed to any party, and is deleted on a routine basis (each fiscal year) when it
is no longer needed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All PII information is obtained from the NIH IMPAC II
system. Any major changes to the system should be handled at the NIH level. Notifications and
consent procedures with subjects are also handled at the NIH level. NCCAM does not have a
notification process in place as the applications database does not collect the initial PII. It is only
a recipient of PII collected by another database that is maintained at the NIH level thus we do not
have our own notification process to obtain PII from individuals. This system does not have any
notification procedures in place in addition to those in place for the IMPAC II system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The SharePoint system is electronically
behind the NIH firewall and can only be accessed from behind the firewall. The information is
physically secured by a required key card and employee badge, and electronically secured by a
password login procedure to the NIH computer system, and a requirement of a password when
accessing the database. A comprehensive IRT is also maintained. Information is also secured by
least privilege, separation of duties, an intrusion detection system, locks and background
investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-011
7. System Name (Align with system Item name): NIH NCCAM Status of Funds Internet
Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Valery Gheen
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to
access financial data and download data into spreadsheets in order to perform analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Status of Funds internet
edition (SOFie) is required by the Administrative and Budget offices of NCCAM for tracking
and monitoring the Center’s budget. Utilizing client-server technology, SOFie gives users
flexible views and summaries of their accounting structure. The Accounting data and related
document information is downloaded from CAS and is relevant to/specific to NCCAM for its
fiscal year operations. It is necessary to have access to this data in order to comply with
appropriation laws and regulations. The system contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - No PII
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using user name and
password, least privilege, separation of duties and intrusion detection system, firewalls, locks,
badge access, background investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI AARP Phase I Pilot
Study (APS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0594
6. Other Identifying Number(s): Z01 CP010196
7. System Name (Align with system Item name): NIH NCI AARP Phase I Pilot Study (APS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Yikyung Park
10. Provide an overview of the system: The APS is a web-based system that manages the data
collection activities related to the completion of four web-based instruments that capture dietary,
physical activity and health information. The APS allows for a respondent to consent and
complete a self-enrollment process. Enrollment includes the collection of contact information.
Upon successful enrollment, respondents are assigned instruments to complete and a schedule by
which to complete. Access to the instruments is granted to respondent based on assigned
schedule. Email, text messaging, and automated phone calls are generated to remind respondents
of upcoming and overdue events.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII will not be shared nor disclosed. This collection is covered under System of Records Notice
09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Respondents will be asked
for their name, email address and phone numbers as part of the study conduct to send reminders
of upcoming events via outgoing automated outgoing phone calls, cell phone text messaging and
email. Respondents can opt-out of cell phone text message and automated phone call reminders.
Phone numbers are also collected for use of providing support to study respondents.
Date of birth is collected to verify enrollment criteria (>50 yrs of age) as well to characterize
respondent when determining aggregate response rates.
Race, ethnicity, and state are also collected to characterize respondent.
Social security number is collected for a subset of the respondents in order to determine the
response rates and the likelihood in any main study of being able to link to cancer and other
health registries for endpoint analyses.
The following fields are required:
Gender, OMB race category(ies), ethnicity, first and last names, mailing address, email, and
social security number for a subset of respondents.
Participation is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The scope of the feasibility study is limited and there
are no plans to make any major changes to the system. In the event of any changes that impact
PII, respondents will be notified via email of a change and be directed to log into their APS
account for details or contact the APS helpdesk.
The consent text included in the system specifies what PII is being collected and how it will be
used or shared. Additionally, the systems includes frequently asked questions (FAQS) that
further explain how IIQ information is stored and will be used.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The following classes of controls are in
place to protect the APS and respondent PII: access such as user account management, access
enforcement, password strength, least privilege concept, session termination; security awareness
and training; audit and accountability; configuration management; contingency planning;
identification and authentication for users, devices; incident response including training, testing,
monitoring; timely and controlled maintenance; media protection; physical and environment
controls such as id badges, physical access authorization using access cards, key locks and cipher
locks for building and room entry, monitoring, visitor control, emergency power, and shutoff,
disaster protection and recovery; system security plan; personnel security; rules of behavior; risk
assessment planning, monitoring, update; technical and communication protection including
denial of service protection; boundary protection, programmable firewalls, transmission
integrity; security certificates, encryption, regular virus detection and monitoring; policies and
procedures are in place for each family control class
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI ABCC Laboratory
Information Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Advanced Bioinformatics
Computer Center Laboratory Information Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jin Chen, Building 430 -
FCRDC, 226,1050 Boyles Street, Frederick, MD, Phone: 301-846-5549
10. Provide an overview of the system: The ABCC LIMS is a bio-informatics analysis tool in
the ABCC (Advanced Biomedical Computing Center). It is a web based single server application
hosted by the ABCC-IT Infrastructure and residing in that data center.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: LIMS collects sample,
inventory, parameters and data file used or generated in work flow. LIMS also uses project and
client information from CSAS system for enterprise cross system integration purposes, where
client information includes federal contact data. LIMS also holds lab user email address for
identification purposes. Submission of federal contact information is voluntary. Information
does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI
ACCRUALNET.CANCER.GOV, ANPORTAL.CANCER.GOV
(ACCRUALNET)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NCI AccrualNet -
accrualnet.cancer.gov, anportal.cancer.gov
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: LINDA PARRECO
10. Provide an overview of the system: Accrual Net is an online community of practice
designed to provide clinical trials professionals with a centralized resource for clinical trials
recruitment resources, strategies and tools. It aims to improve accrual by making ‘checking the
evidence’ a routine practice during the recruitment planning process. ANPortal is the
management site used to procure and review content for the site and is accessed externally only
by authorized administrators. Accrual Net and ANPortal do not contain any PII.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) Accrual Net collects and
maintains a centralized resource for clinical trials recruitment resources, strategies and tools. 2)
AccrualNet will collect the information for the purpose of improving accrual by making
‘checking the evidence’ a routine practice during the recruitment planning process. It will
provide clinical trials professionals access to resources, strategies and tools. 3) Accrual Net and
ANPortal do not contain any PII. 4) If users wish to register on the site, they must provide
username, work email, password and occupation. Years of clinical research, institution and areas
of interest are voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system does not contain PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI AdEERS Filing
System (AdEERS FS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: To be obtained
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: To be obtained
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NIH NCI AdEERS Filing System (AdEERS
FS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jan Casadei
10. Provide an overview of the system: The purpose of the CTEP AdEERS Filing System is to
collect, store, manage and report expedited adverse events related data. The data collected is
stored in hardcopy format in secure filing systems as well as secure Electronic Filing Systems
operated by NCI CTEP contractors managing this process. Expedited adverse event information
is reported to FDA as required in accordance with FDA regulations and guidelines.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
AdEERS FS shares and discloses adverse events related information on NCI sponsored clinical
trials with FDA, NCI Investigators and Pharmaceutical sponsors in accordance with federal
regulations and guidelines. Most of the information that AdEERS FS collects and shares in
publicly available elsewhere.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c,
289a, 289c, and 44 U.S.C. 3101.).
The types of data collected are scientific and health data about cancer clinical trials, including
clinical and pre-clinical data with associated regulatory and administrative supporting
information.
AdEERS FS collects clinical trials data including study information, submitter/reporter
information, principal investigator information, treatment assignment, relationship of events to
treatments, time of resolution of events, narrative description, events that occurred and their
grading and attribution, primary source documents that provide clinical information on the
patient’s evaluations and course of treatments and hospitalization, etc. Additionally, name,
mailing address, phone number and email are also collected and maintained.
The information is used to assure patient safety, for scientific decision making, drug distribution,
regulatory oversight (i.e., investigator registration, trial audits, etc.), and to facilitate
administrative operations.
NCI Investigators who participate in NCI sponsored clinical trials submit their information to
CTEP in a signed Investigator Registration (IR) packet. This investigator registration packet,
along with additional cover letter, explains to the investigators intended purpose and usage of
their information.
Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials
sign an informed consent.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All patients sign informed consent forms prior to
enrollment on study. Informed consent forms are obtained in compliance with OHRP/IRB and
ORI regulations.
AdEERS FS shares and discloses adverse events related information on NCI sponsored clinical
trials with FDA, NCI Investigators and Pharmaceutical sponsors in accordance with federal
regulations and guidelines. Most of the information that AdEERS FS collects and shares in
publicly available elsewhere.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Data in AdEERS Filing System is protected
via Administrative, Technical and Physical controls. Hard copy documents are filed in the secure
filing cabinets behind locked door in a secure environment with restricted access to the facilities.
Only select authorized staffs are allowed to access the hard copies. Access logs to hard copy
documents are maintained. Access to data stored in the Electronic Filing System is through
password protection account. The Server on which the Electronic Filing System is hosted is
maintained in secure facilities.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Advanced Biomedical
Computing Center (ABCC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-15
7. System Name (Align with system Item name): NCI Advanced Biomedical Computing
Center ABCC
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jack R. Collins
10. Provide an overview of the system: The mission of the Advanced Biomedical Computing
Center (ABCC) is to provide high performance computing for the National Cancer Institute, both
for its intramural and extramural scientists.
Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285,
Sec. 285a
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
consists of name, work phone number, work address, and work e-mail of government employees.
This is collected when people sign up to take a class on how to use the ABCC. None of the data
collected is information subject to the Privacy Act
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in this system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII collected. System uses firewalls,
passwords, locks, id badges, background investigations, network monitoring and an Incidence
Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Advanced Biomedical
Computing Center IT Infrastructure [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Advanced Biomedical Computing
Center IT Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gregory Warth, Building 430 -
FCRDC, 234, 1050 Boyles Street, Frederick, MD, Phone: 301-228-4376
10. Provide an overview of the system: The ABCC data center is a 3800 SQFT facility capable
of handling 310KW of equipment house in a secure space accessible only by swipe card where
every transaction is recorded. The NCI-Frederick network is part of and attached to the NCI
network via a Firewall. All network, service, storage, and other nodes are under change control
and comply with FDCC and NIH’s minimum standard security configurations. There are
approximately 5000 workstations and 800 servers attached to the network.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system consists only of
infrastructure. All information is housed within applications that the infrastructure supports.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) System contains no PII data
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain PII data
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Agricultural Health
Study --Westat (AHSW)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0406
6. Other Identifying Number(s): AHSW
7. System Name (Align with system Item name): NIH NCI Agricultural Health Study - Westat
(AHSW)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael Alavanja / Stanley
Legum
10. Provide an overview of the system: The Agricultural Health Study is a collaborative effort
involving the National Cancer Institute (NCI), the National Institute of Environmental Health
Sciences (NIEHS), and the U.S. Environmental Protection Agency (EPA). The study has four
major components:
1. The main prospective cohort study - cancer and non-cancer outcomes
a. linkage with cancer registries, vital statistics, United States Renal Data
System (USRDS)
b. ongoing data collection (i.e., telephone interview, food frequency
questionnaire and cheek cell collection
2. Cross-sectional studies - including questionnaire data, functional measures,
biomarkers, and GIS
3. Nested case-control studies
4. Exposure assessment and validation studies
The cohort includes 89,658 private pesticide applicators, spouses of private applicators, and
commercial pesticide applicators recruited within Iowa and North Carolina. Phase I, initial
cohort recruitment, began in 1993 and concluded in 1997. Phase II follow-up began in 1999 and
concluded in 2003. The Phase III follow-up began in 2005 and concluded in February 2010.
Phase I observation involved administration of a questionnaire to obtain information on pesticide
use, other agricultural exposures, work practices that modify exposures, and other activities that
may affect either exposure or disease risks (e.g. diet, exercise, alcohol consumption, medical
conditions, family history of cancer, other occupations, and smoking history). Phase II had three
data collection components: a computer-assisted telephone interview (CATI), buccal cell
collection, and a mailed dietary questionnaire. Phase II interviews are designed to record
updated information on pesticide use since enrollment, current farming and work practices, and
changes in health status. In addition, the Dietary Health Questionnaire in Phase II makes a
detailed evaluation of subjects' cooking practices and dietary intake. The buccal cell collection
of Phase II was implemented to assess the impact of genetic risk factors on epidemiologic
outcomes. Phase III included two data collection components: a CATI interview and a buccal
cell collection for selected members of the cohort. In addition to Phase II and Phase III data
collection activities that include the whole cohort, a series of sub-studies involving a small
number of study participants will directly measure applicator and family member exposures to
selected pesticides and/or focus in greater detail on subgroups with specific diseases or
exposures.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information Management Services (IMS - separately contracted by NCI - performs data analyses
for NCI) National Death Index (NDI) - Annual match with NDI Plus files. Internal Revenue
Service - to obtain updated address information. This system is also covered under the Privacy
Act System of Records Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: AHS analytic data files do
not contain direct identifiers such as name, address, or SSNs. PII is shared with NDI and the IRS
when we are performing matches to NDI and IRS files. Contact information (name, address,
phone number) are stored in anticipation of use in future substudies, cohort maintenance
purposes (e.g., possible mailings of study update newsletters), and matching with state and
national vital statistics and health registries.
The AHS has four major components:
1. Main prospective cohort study - cancer and non-cancer outcomes
a. linkage with cancer registries, vital statistics, United States Renal Data
System (USRDS)
b. data collection (i.e., telephone interview, food frequeny
questionnaire and cheek cell collection (no longer on-going)
2. Cross-sectional studies - including quesitonnaire data, functional measures,
biomarkers, and GIS
3. Nested case-control studies
4. Exposure assessment and validation studies
Three were also a series of sub-studies involving a small number of study participants that
directly measured applicator and family member exposures to selected pesticides and/or focus in
greater detail on subgroups with specific diseases or exposures. Additional substudies may be
conducted in the future.
Participation is voluntary.
PII collected and maintained include name, date of birth, social security number, mailing
address, phone number, and pesticide application certificate types.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There have been no major changes in the system and
none are contemplated. Our IRB would review any major changes prior to implementation and
provide us with guidance on any needed notification and consent requirements.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Extensive safeguards are in place to ensure
the confidentiality of each subject is protected. Each subject is assigned a six-digit number;
these IDs are used for any references to subjects on an individual basis. Names and other
identifying information are kept in a separate database from the analytic files. These data are
joined only for performing linkages to the mortality and cancer incidences databases and for
direct contacts with cohort members to inform them of study progress or to request their
participation in substudies. Several layers of passwords exist to ensure unauthorized access to
electronically stored data is not permitted. Hard copies of questionnaires that contain any
personal information have been shredded. Informed consent forms, which contain subjects'
names and study IDs are stored in a secure facility separate from other study data. All personnel
involved with the project have signed confidentiality agreements.
Files with PII are stored in a directory accessible only to the project's lead systems manager and
one programmer. Data stored in the SQL Server contact database are protected with application
level security and an additional password. Data stored in other file formats are encrypted when
not in use and the encryption key is known only by the same two staff members. The files are
never left in unencrypted form over night so that automatic backups contain only encrypted
versions.
The system is protected by firewalls, intrusion detection systems, and passwords. There are
comprehensive system security and contingency plans in place. An Incident Response capability
is maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Automated Self-
Administered 24-Hour Recall (ASA24)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Automated Self-Administered 24-
hour Recall (ASA24)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Nancy Potischman
10. Provide an overview of the system: Self-reported dietary assessment methods are
commonly used to measure food intakes for dietary surveillance, nutritional epidemiology,
clinical and intervention research. We developed a 24-hour dietary recall that could be
unannounced, automated, and self-administered to make feasible the administration of multiple
days of recalls in large-scale epidemiological studies, surveillance sites, behavioral trials and
clinical research. The format and design were modeled on the interviewer-administered
Automated Multiple Pass Method (AMPM) developed by the US Department of Agriculture
(USDA). The website collects information about subjects' diet for the previous day for
extramural researchers doing epidemiologic or clinical research. There is no personally
identifiable information collected on this site. The respondents are given a username and
password by the NCI in order to gain access to the website. Participation in these studies are
voluntary and nonparticipation has no impact on the subjects' care or involvement in other
aspects of the studies.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The diet information
collected provides a service for outside researchers and will not be used by the agency. The
system does not contain PII and the information is provided by subjects on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Biospecimen Research
Database/Biospecimen Research Network (BRD/BRN)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): Not applicable
7. System Name (Align with system Item name): NIH NCI Biospecimen Research
Database/Biospecimen Research Network (BRD/BRN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Andrew Breychak/Ian Fore
(owner)/Ajay Nalamala/Amit Srivastava
10. Provide an overview of the system: The Biospecimen Research Database (BRD) is a
searchable public data repository of published papers and studies collected from PubMed that
have been consistently annotated for the purposes of biospecimen science. As of June 1, 2011
there are approximately 1,140 records (each record representing a study). There are 1 system
administrators and 3 curators who have access add/edit/delete the data using a secure web
curation interface.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable; no PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) No information collected,
records maintained are published papers & studies gathered from PubMed, currated, and
disseminated (no contact data)
2) NCI-OBBR uses this information to disseminate currated information about existing
published papers & studies where significant findings for biospecimen science have occured
3) This information and application contain NO PII
4) Submission of personal information is NOT required and therefore neither voluntary nor
mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable; no PII is collected or disseminated.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable; No PII is collected, stored,
or disseminated by this system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI California Health
Interview Survey (CHIS) Information Technology System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0598
6. Other Identifying Number(s): N02-PC-54400
7. System Name (Align with system Item name): California Health Interview Survey (CHIS)
Information Technology System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nancy Breen - NCI /Sansan Lin
- UCLA
10. Provide an overview of the system: The California Health Interview Survey (CHIS) is a
population-based random-digit dial telephone survey of California's population conducted every
other year since 2001 by the UCLA Center for Health Policy Research (UCLA-CHPR). UCLA-
CHPR has the lead responsibility of managing the survey, preparing, maintaining, and
disseminating the CHIS data files, reporting the survey findings, and disseminating the survey
results. All CHIS confidential data files are maintained at the Data Access Center (DAC). No
PII is contained with the CHIS confidential data files. The Data Access Center is designed to
provide access to CHIS confidential files in a secured, controlled environment that protects the
confidentiality of respondents.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII in the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All data received by UCLA-
CHPR is in the de-identified form with all personal identiers removed. All research participants
provide verbal consent to participate in CHIS. The verbal consent script for each CHIS survey is
approved by the UCLA Institutional Review Board and the California Health & Human Services
Committee for the Protection of Human Services. The consent script informs respondents about
the voluntary and confidential nature of the survey and assures them that their individual answers
would not be linked to their identity or disclosed. There is no PII in the system. All data is
given voluntarily by respondents.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI California Health
Interview Survey Cancer Control Module (CHIS-CCM) 2009
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0598
6. Other Identifying Number(s): N02-PC-54400
7. System Name (Align with system Item name): NIH NCI California Health Interview
Survey Cancer Control Module (CHIS-CCM) 2009
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nancy Breen
10. Provide an overview of the system: IMS is contracted by NCI to maintain CHIS microdata
in a secure environment. There is no identifying information in the data. CHIS data include a
range of cancer control variables for respondents including use of cancer screening, and a wide
range of socio-demographic variables including health insurance status, usual source of health
care. NCI analysts examine statistical patterns and trends in cancer control outcomes in
California using CHIS. IMS staff develop programs to conduct statistical analyses as specified
by NCI researchers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) IMS is under contract
with NCI to maintain CHIS microdata files as needed for analysis by NCI. IMS programers and
statisticians work under contract with NCI staff to help with programming and statistical analysis
as specified by NCI staff. 2) NCI uses CHIS data to conduct statistical analysis of cancer control
outcomes. These include use of cancer screening services, patterns and trends in tobacco use,
physical activity and other cancer-control related behaviors. 3) No PII in the system. 4) No PII
in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Biomedical
Informatics Grid (caBIG, caGRID) [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Cancer Biomedical Informatics Grid
(caBIG) caGRID
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matthew Kennedy
10. Provide an overview of the system: caGrid is the underlying service-oriented infrastructure
that supports caBIG. Driven primarily by scientific use cases from the cancer research
community, it provides the core infrastructure to compose the Grid of caBIG. caGrid provides
the technology that enables collaborating institutions to share information and analytical
resources efficiently and securely, while also allowing investigators to easily contribute to and
leverage the resources of a national-scale, multi-institutional environment.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: caGRID does not collect,
maintain or disseminate any data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) caGRID is an infrastructure and does not contain PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Central
Clinical Patient Registry (C3PR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCI Cancer Central Clinical Patient
Registry (C3PR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Patton
10. Provide an overview of the system: C3PR is a central participant registry and underlying
database that will allow the management of patient clinical trials registration information and
protocol information across studies, sites, systems and organizations.
C3PR operates on its own data tables with a close interface with Oracle Clinical. The
implementation of the system will preserve the fundamental independence of the storage of the
patient and registration information from the scientific and research data. System identifiers will
be used to relate patient demographics and identifying information to eligibility, medical or
treatment data.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The System shares PII with users of the Cancer Central Clinical Database (C3D) who are health
care professionals who input patient data into the C3D System.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Agency will collect
from patients their name, date of birth, address, gender, race, and ethnicity, from patients for
registry purposes for the Cancer Central Clinical Database (C3D) application. Submission of all
personal information is voluntary. A medical records number will be assigned to them. This
information is Personally Identifiable Information (PII) and submission of this personal
information is voluntary subject to a Consent Form.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients voluntarily sign a consent form to voluntarily
provide names, dates of birth, gender as PII and that it will be used for the registry, as well as for
cancer research. The consent form obtains consent from the patient and notifies the patient of
his/her rights. The patient will be notified if any major changes occur to the system. The PII
will be destroyed when the system is decommissioned.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include annual risk
assessments and the SDLC. Operational controls include personnel controls and strict account
granting. Technical controls include firewalls, IDS, logon banner warnings, identification and
authentication, database roles, file permissions and anti-virus/malware scanning.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Data
Standards Repository-Standards Reporting-Common Data Elements (caDSR-
SBR-CDE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4921-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-31
7. System Name (Align with system Item name): NIH NCI Standards Based Report (caDSR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dave Hau
10. Provide an overview of the system: One of the problems confronting the biomedical data
management community is the panoply of ways that similar or identical concepts are described.
Such inconsistency in data descriptors (metadata) makes it nearly impossible to aggregate and
manage even modest-sized data sets in order to be able to ask basic questions. The NCI, together
with partners in the research community, develops common data elements (CDEs) that are used
as metadata descriptors for NCI-sponsored research. The caDSR is a database and tool set that
the NCI and its partners use to create, edit and deploy the CDEs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NCI, together with
partners in the research community, develops common data elements (CDEs) that are used as
metadata descriptors for NCI-sponsored research. The system does not collect IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Diagnosis
Program (CDP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Appliciable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NCI-7
7. System Name (Align with system Item name): NIH NCI DCTD Cancer Diagnosis Program
(CDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Margaret M. Cavenagh, M.S.
10. Provide an overview of the system: A contractor independently receives de-identified data
or minimal datasets with data use agreement from cooperative agreement funded participants in
NCI supported human specimen resources and makes subsets of that data available to researchers
using the specimens. A contractor manages password-secure websites that provide logistics
support for the research projects.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not share IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No IIF is collected. De-
identified information is being provided from the records of cooperative agreement funded
institutions participating in NCI funded human specimen resources. The purposes and
procedures of these activities have been reviewed by institutional review boards and deemed
appropriate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected. Only de-identifiad or a limited
dataset with data use agreements under the DHHS the Privacy Rule is involved.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF in the system, however
username/passwords, least privilege, seperation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained,
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Genome
Anatomy Project (CGAP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-25
7. System Name (Align with system Item name): NCI Cancer Genome Anatomy Project
(CGAP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carl Schaefer
10. Provide an overview of the system: The goal of the NCI's Cancer Genome Anatomy
Project is to determine the gene expression profiles of normal, precancer, and cancer cells,
leading eventually to improved detection, diagnosis, and treatment for the patient. By
collaborating with scientists worldwide, such as the Ludwig Institute for Cancer Research and
Lund University, CGAP seeks to increase its scientific expertise and expand its databases for the
benefit of all cancer researchers. Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER
III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Cancer Genome
Anatomy Project determines the gene expression profiles of normal, precancer, and cancer cells,
with the goal of improved detection, diagnosis, and treatment for the patient. Gene expressions
are not identified with any individual.
No IIF is collected. Data is downloaded by NIH NCI NCICB authorized users, in this case,
cancer researchers.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF collected. System uses firewalls,
passwords, locks, id badges, background investigations, network monitoring and an Incidence
Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Human
Biobank Comprehensive Biospecimen Resource (caHUB CBR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): NCI Contract No. HHSN261200800001E
7. System Name (Align with system Item name): NIH NCI Cancer Bioinformatics Grid
(caBIG) Cancer Human Biobank Comprehensive Biospecimen Repository (caHUB CBR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bryon Campbell, Ph.D./Edward
Suh, Sc.D. Contractors--Van Andel Research Institute
10. Provide an overview of the system: The users of the CBR system are NIH/NCI personnel
and contractors only. This system is not available to members of the public.
Information is organized by using metadata that includes objects, e.g. Specimen, Biohazard,
Storage Container and attributes including tissue identifier (a numeric identifier that identifies
the tissue sample kept in the facility. This identifier is not linked or related to any personal
identifier), type, tissue site, concentration, and class.
Personal identifiers about the donors are not collected. The system implements a powerful query
engine that can support any of the attributes or combination of attributes listed here if the tissue
data has been collected and is available in the database. The sample ID is a coded identifier that
is not linked to any Electronic Health Record (EHR) system, and cannot be used to link records
in the system to any identifiable information.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. De-identified dataset on
bio-specimens (tissue)
2. Data supports clinical research
3. No PII is collected, stored, processed, or disclosed by this system. System contains only de-
identified information or aggregate statistical analyses.
4. All data are submitted voluntary. De-indentification of the data is conducted at the tissue bank
facility when the information about the tissue sample is input into the CDR node (client
software) to be sent to the CDR via HTTPS protocol. The de-identification process includes the
exclusion of PII data from the input of the data (manual process). In other words, fields such as
donor's name, address, demographics, etc. are not available for data entry.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - The caHUB CBR does not collect, maintain, or
disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not collect PIA data
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Human
Biobank Comprehensive Data Resource (caHUB CDR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Cancer Human Biobank
Comprehensive Data Resource (caHUB CDR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Tabor
10. Provide an overview of the system: caHUB CDR is the Office of Biorepositories and
Biospecimen Research (OBBR) tool for biospecimen inventory management, tracking, and
annotation. This tool permits users to enter and retrieve data concerning the collection,
processing, storage, quality assurance, and distribution of human biospecimens as well as clinical
data about the biospecimen donor. Data will be collected about both living and deceased
biospecimen donors. The Comprehensive Data Resource (CDR) is sufficiently scalable and
configurable for deployment across biospecimen resources of varying size and function, and the
management of multiple types of biospecimens (tissue, biofluids, nucleic acid). The tool will
collect and store information about biospecimens and biospecimen donors in a format consistent
with a HIPAA Privacy Rule Limited Data Set, including PII such as date of birth and other dates
that are related to the clinical history of the donor and the collection, handling and processing of
the biospecimens. The tool provides search functionality for both the biorepository and OBBR
staff. Access to the system will be strictly controlled and role-based, such that individuals outside
of the CDR will only have access to deidentified data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
While the CDR will collect and store PII in the form of dates related to clinical services (e.g. date
of surgery) and demographics (e.g. date of birth), all data will be completely deidentified (per
HIPAA Privacy Rule) prior to being shared or disclosed. In addition, all research collaborators
who receive data from the CDR will be required to sign a material transfer agreement that will
include limitations on how data and biospecimens can be used and disclosed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. The CDR will collect,
maintain, and store information related to the collection, processing, storage, quality assurance,
and distribution of human biospecimens as well as clinical data about the biospecimen donor.
Clinical data will include demographics, medical history, treatment, and outcome data for
biospecimen donors.
2. The data is being collected and used for the purposes of biomedical research. The overall
vision of caHUB is to contribute to medical advances by conducting and facilitating biobanking
science and standards research. caHUB will systematically address the gaps in knowledge
needed to improve the state-of-the-science and to strengthen the standards for human
biobanking. Detailed information is needed about both the biospecimen and the biospecimen
donor to allow a better understanding of the patient’s disease as well as the how different
variables associated with the collection, handling and processing of biospecimens affect overall
biospecimen quality and the impact on downstream research.
3. The tool will collect and store information about biospecimens and biospecimen donors in a
format consistent with a HIPAA Privacy Rule Limited Data Set, including PII such as date of
birth. Information will include clinical data, such as dates of clinical procedures (e.g. date of
surgery, date of diagnosis etc.). caHUB has entered into Material Transfer and Data Use
Agreements with biospecimen source sites that provide the biospecimens and data and the
agreements specify limitations on the use and disclosure of the PII.
4. All data are submitted voluntarily. In the case of living donors, informed consent is required
for submission of biospecimens and data to caHUB. For deceased donors, authorization will be
required from the decedent’s next-of-kin prior to collection of biospecimens and data).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. Consent will be obtained from biospecimen donors
for the collection and use of their clinical data for the caHUB project. The consent language
describes the types of data that will be collected and the general types of research that will be
performed as part of caHUB. The collection and submission of biospecimens and data will be
overseen by the Institutional Review Board (IRB) at the collection site and re-contact for
additional consent would be possible if deemed necessary.
2. In the case of living donors, informed consent will be required for donation of biospecimens
and data to caHUB. For deceased donors, pre-consent from individuals (through living wills or
registries) and authorization from the decedent’s next-of-kin are required prior to collection of
biospecimens and data. The consent/authorization language describes the types of data that will
be collected for caHUB. Donors or their next-of-kin will be given a paper copy of the
consent/authorization for caHUB biospecimen and data submission.
3. The consent/authorization language for caHUB describes how the information will be used,
including the types of biomedical research that are anticipated. The consent/authorization
language also states that only deidentified data will be shared and describes the oversight
mechanism for such sharing. All data will be completely deidentified (per HIPAA Privacy Rule)
prior to being shared or disclosed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII limited data set stored in the system
is comprised of birth date, date of death, date of diagnosis, date of significant events (such as
surgical events) and is protected following NIST-SP800-112 “Guide to Protecting the
Confidentiality of Personally Identifiable Information (PII) and NIST-SP800-53 security
controls. The data has been qualified using NIST-SP800-112 criteria in the following way:
Identifiability: The information does not directly identify the individual, the data set is limited to
date of birth, date of diagnosis, date of death and dates of treatment events (such as surgical
events).
Quantity of PII: 1000 or more records
Data field sensitivity: the limited data set is considered low sensitivity since there are no direct
identifiers or any other information linking the individual to the data.
Context of use: The release of the date of birth, date of death and date of diagnosis along with
other treatment event dates would not likely cause harm to the individuals considering that it is
not possible to directly identify the tissue donor by the data set collected.
Access to and location of PII: The information is accessed by NIH employees and contractors
only. The data provided to end users of the system will be deidentified data per the HIPAA
Privacy Rule.
Protection of the PII data policy: follows the NIH policy for PII protection found at
http://oma.od.nih.gov/ms/privacy/pias.html.
Awareness, Training and Education: Follows NIH policy, yearly security awareness training.
Security Controls:
Access Enforcement (AC-3) Implements role-based access control, and data de-identification
process
Separation of Duties (AC-5) De-identified data users do not have access to system administration
or access to the database where PII limited data set is maintained.
Remote Access (AC-17) Remote access is protected through transport layer security (SSL) and is
limited to the data contributors who are NIH / SAIC-F / sub-contractors. Other remote end users
have access only to de-identified data.
User-Based Collaboration and Information Sharing (AC-21) Users who collaborate data to CDR
do it under contract with the NCI-F and through transport layer security connections, end-users
have access to deidentified data only through the CDR web interface which is also protected
using SSL and user name and password.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Imaging
Program Website (CIP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NCI-74
7. System Name (Align with system Item name): Cancer Imaging Program
http://imaging.cancer.gov
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Frank Lin
10. Provide an overview of the system: This is the public website for the NCI Cancer Imaging
Program. It is used to provide information concerning the program to the public and research
community.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Cancer Imaging
Program uses this website to disseminate information concerning the Program to the public. It is
for information purposes. There is no IIF contained in the system. There is a webpage form used
to generate an e-mail to CIP staff which allows individuals to ask questions. The information on
the webpage is not kept and is the equivilant of an individual sending an e-mail to the program
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF in the system, however the site is
protected by NCICB infrastructure security measures including firewalls, server password
protection mechanisms and is monitored by the IRT for intrusion detection.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Information
Service (CIS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI CIS/Cancer.gov Sites
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The system includes several search interfaces
accessible through the Cancer.gov site (Organizations that offer support services) and Email Us.
The search interface is an information site meant to provide them search capabilities to retrieve a
list of organizations concerned with helping cancer patients and their families/friends. The
Email Us page provides the public with access to submit questions via email or chat to the NCI's
Cancer Information Service.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The search interface
(Organizations that offer support services) allows users to input their e-mail address in order to
receive selected information via e-mail. E-mail addresses are not maintained or disseminated; e-
mail addresses are provided voluntarily by users and are used only to provide requested
information via this channel. Users have other print options available should they wish to have
this information but not provide an e-mail address.
The Email Us page and the LiveHelp Welcome page provide users with access to the email and
LiveHelp chat service manned by NCI’s Contact Center staff, which is included in a separate
PIA, NIH NCI CIS Extranet.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) E-mail address is not stored and so users cannot be
contacted about major changes to the system. Online help files describe features/functions of the
sites and are updated as changes are made.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Integrator
(caIntegrator)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-76
7. System Name (Align with system Item name): NIH NCI Cancer Integrator (caIntegrator)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: JJ (Jeng-Jong) Pan
10. Provide an overview of the system: The caIntegrator knowledge framework provides
cancer researchers with the ability to perform ad hoc querying and reporting across multiple
domains of cancer data. This application framework comprises an n-tier service oriented
architecture that allows pluggable web-based graphical user interfaces, a business object layer,
server components that process the queries and result sets, a data access layer and a robust data
warehouse. At the heart of caIntegrator is the Clinical Genomics Object Model (CGOM) that
provides standardized programmatic access to the integrated biomedical data collected in the
caIntegrator data system. Design of the CGOM is driven by usecases from two critical NCI-
sponsored studies, a brain tumor trail called GMDI (Glioma Molecular Diagnostic Initiative) and
a breast cancer study called I-SPY TRIAL (Investigation of Serial Studies to Predict Your
Therapeutic Response with Imaging And moLecular analysis). The model represents data from
clinical trials, microarray-based gene expression, SNP genotyping and copy number
experiments, and Immunohistochemistry-based protein assays. Clinical domain objects in
CGOM allow access to Clinical trial protocol, treatment arms, patient information, sample
histology, clinical observations and assessments. Genomic domain objects allow access to
biospecimen information, raw experimental data, in-silico transformation and analyses
performed on the raw experimental datasets and biomarker findings. The clinical and genomic
findings domain objects have relationships to the FindingsOntology object, as the findings can be
complex concepts which, in turn, can be generically represented as items occurring in an
ontology (for example, WHO histopathological classification for brain tumor histology findings).
caIntegrator supports the mission of the National Cancer Institute, NIH Center for
Bioinformatics as a web application for cancer research.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency collects from
authorized researchers, maintains, and disseminates via a strictly controlled process to authorized
researchers de-identified medical data consisting of de-identified imaging and molecular analysis
cancer data, including DNA snippets. This information is submitted on a voluntary basis. No
personal information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Therapy
Evaluation System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4902--00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NCI-14
7. System Name (Align with system Item name): NIH NCI Cancer Therapy Evaluation
Program Enterprise System (CTEP-ESYS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Steve Friedman (George
Redmond is alternate POC)
10. Provide an overview of the system: The purpose of the system is to assure patient safety
and meet the NCI CTEP scientific, regulatory, administrative and operational program mission.
Specifically, it is used to document, track, monitor and evaluate NCI clinical research activities.
The Cancer Therapy Evaluation Program Enterprise System (CTEP-ESYS) project is the
primary data collection mechanism for NCI's vast clinical trials program. CTEP-ESYS collects
safety and clinical results data on ongoing cancer clinical trials (trials not yet completed). Data
reporting and analysis in real time is critical to ensuring adequate monitoring of the ongoing
clinical research. Timely data reporting and analysis also assures effective planning for the
required successor studies, thus accelerating the evaluation of promising new agents and
regimens for patients with cancer.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
CTEP-ESYS shares NCI Investigator and NCI Associates data with the Clinical Trials Support
Unit (CTSU), a CTEP/NCI sponsored project to increase participation in NCI sponsored cancer
related clinical trials. The CTSU system provides additional information about the clinical trials
that are ongoing at various cooperative groups. With increased awareness and access to the trials
information, CTEP intends to increase physician and patient participation in the NCI sponsored
trials.
CTEP-ESYS also shares IIF with NCI Center for Biomedical Informatics and Information
Technology’s Clinical Data System (CBIIT-CDS) to facilitate clinical trials related data
collection functions that CBIIT-CDS application performs for CTEP-ESYS applications.
Some of the information that CTEP-ESYS shares with CTSU and CBIIT-CDS is also publicly
available elsewhere.
This system falls under the guidelines of Privacy Act System of Records Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c,
289a, 289c, and 44 U.S.C. 3101.).
The types of data used are scientific and health data about cancer clinical trials, including clinical
and pre-clinical data with associated regulatory and administrative supporting information.
Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials
sign an informed consent. Types of information available in the enterprise include protocols and
protocol attributes, drug inventory and site distribution records, adverse event report, site audit
reports, IND submission records, Investigator registration details, and Non-IIF patient accrual
details. The information is used to assure patient safety, for scientific decision making, drug
distribution, regulatory oversight (i.e., investigator registration, trial audits, etc.), and to facilitate
administrative operations.
CTEP Staff routinely generate standard reports and request ad-hoc reports that display CTEP-
ESYS data. The reports are used by CTEP Staff to analyze clinical trial operations and are also
used to communicate with external collaborators. In addition to CTEP initiated reports,
occasionally ad-hoc reports are created from CTEP-ESYS to support a response to a FOIA
request.
In addition, CTEP has coordinated a procedure where commercial pharmaceutical companies can
request reports that provide data related to adverse events and accrual of on-going cancer related
clinical trials. This procedure requires review and approval by the CTEP Regulatory Affairs
Branch (RAB) prior to the generation of reports.
PII collected include name, mailing address, phone number, and email.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) CTEP-ESYS collects Information in Identifiable
Format (IIF) related to NCI Investigators and Associates who are aware of the intended purpose
and usage of the information. NCI Investigators furnish their information to CTEP in a written
application. NCI Associates furnish their information to CTEP via an online registration process.
CTEP-ESYS users are required to acknowledge the NIH Privacy Policy posted on the Warning
Banners prior to accessing the CTEP-ESYS.
Changes to CTEP-ESYS are managed and controlled via CMMI Level 3 compliant change
management processes. All changes are discussed at and approved by Enterprise Change
Management Committee (ECMC). ECMC memberships include, but not limited to, CTEP-ESYS
Project Officers, CTEP Branch Chiefs, CTEP-ESYS contractors and CTEP-ESYS stakeholders.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CTEP-ESYS data is maintained in a secure
database. The following are in place as Management Controls:
· Logon Banners
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Disaster Recovery Plan (tested)
· Interconnection Security Agreement
The following are in place as Technical controls for CTEP-ESYS:
· User ID and Passwords are required to login to CTEP-ESYS applications
· The CTEP-ESYS application is hosted within NIH Network boundaries and is protected by
NIH CIT provided Perimeter Firewall and Intrusion Detection Systems
· SSL Encryption is enabled for access to web based interfaces of CTEP-ESYS modules, where
necessary
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Periodic SARA Scans for CTEP-ESYS systems
· Incidence Response Procedures
· System and Database Audit Trails and Logs
The following are in place as Operational controls for CTEP-ESYS:
· Personnel Security
· Security Clearance Process for all contractor personnel working on CTEP-ESYS
· CTIS Hiring and Termination Process
· NIH Non-Disclosure Agreement for all CTIS employees working on CTEP-ESYS
· Annual requirement by employee to take NIH CIT Security Awareness Training
· Physical and Environmental Protection
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· Video Surveillance of Data Center
· AC Maintenance Process
· Contingency /Disaster Recovery Plan
· Incidence Response Procedures
· Alerts and Scans
· Identification and Authentication
· User Account Management Process
· Role based user access to systems
· Password Change Policies
· Procedures for handling lost/compromised passwords
· Audit Trails
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Trials
Support Unit (CTSU
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Requested
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Requested
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Cancer Trials Support Unit
(CTSU)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Montello
10. Provide an overview of the system: The Cancer Trials Support Unit (CTSU) is a service
offered by the National Cancer Institute to enhance and facilitate access to cancer clinical trials
for clinical investigators in the United States and Canada. The CTSU maintains a broad menu of
trials developed by the adult cancer Cooperative Groups and other research consortia and works
with these organizations to offer patient enrollment, data collection, data quality management,
and enrollment reimbursement services to clinical sites entering patients in these trials. In
addition, the CTSU offers a regulatory support service to all adult cancer clinical trials by
collection of regulatory documents and maintenance of a national database of investigators and
sites. The CTSU also provides education and training for clinical site staff and clinical trials
promotion services to help increase enrollment in cancer trials. A large and complex information
technology infrastructure has been developed to support CTSU operations and exchange data
with other data centers involved in cancer research. Westat is the prime contractor on the project,
having two subcontractors, and working with numerous other organizations.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
CTSU shares NCI Investigator and NCI Associates data with CTEP-ESYS – a NCI sponsored
project and other Cooperative Groups, to increase participation in NCI sponsored cancer related
clinical trials.
With increased awareness and access to the trials information, CTEP intends to increase
physician and patient participation in the NCI sponsored trials.
CTSU shares this information, which may contain IIF, with lead research organizations for the
purpose of assuring patient safety, for scientific decision making, drug distribution, regulatory
oversight (i.e., investigator registration; trial audits) and to facilitate administrative operations.
CTSU also shares this information with the Cooperative Groups and with NCI Center for
Biomedical Informatics and Information Technology’s Clinical Data System (CBIIT-CDS).
Some of this information is available to staff at Cooperative Group member sites on a limited
basis.
Some of the information that CTSU shares with CTEP and CBIIT-CDS is also publicly available
elsewhere.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c,
289a, 289c, and 44 U.S.C. 3101.).
The types of data used are scientific and health data about cancer clinical trials, including clinical
and pre-clinical data with associated regulatory and administrative supporting information.
Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials
sign an informed consent. Types of information available in the CTSU Enterprise include
protocols and protocol attributes, Investigator registration details, and non-IIF patient accrual
details. The information is used to assure patient safety, for scientific decision making, drug
distribution, regulatory oversight (i.e., investigator registration; trial audits) and to facilitate
administrative operations.
The CTSU collects and maintains various types of data.
Investigator and treatment site staff information is obtained from the CTEP-ESYS and
maintained in the CTSU. Cooperative Group staff use this data to maintain their membership
rosters. This data is used as part of the credentialing requirements for patient enrollments.
Protocol and regulatory information related to the member sites is collected and maintained in
the CTSU Enterprise.
This data is disseminated to Cooperative Groups to support patient enrollment and data
collection processes.
The CTSU also performs patient enrollments and will begin to collect demographic, eligibility
criteria data, and other enrollment required data as part of this process. This data is collected on
behalf of and shared with the organization that is leading a study.
For some studies, the CTSU performs the complete data management and collects/maintains the
clinical data collected for a study and disseminates it to the organization leading the study.
Patient participation in CTEP clinical trials is voluntary.
PII collected and maintained includes name, date of birth, social security number, mailing
address, phone number, medical records number, medical notes, and email address.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Users that access the systems must reregister on an
annual basis and any changes would be communicated through that process.
NCI Investigators furnish their information to CTEP in a written application. IIF related to the
Regulatory Support System (RSS)/Financial Management System (FMS) [JM1] are supplied to
the CTSU at the time of account request via a standard application.
Participating research organizations require trial participants to sign an authorization to use or
disclose identifiable health information for research. A subject cannot enroll in a study without
providing one of these release forms. They can withdraw the authorization at a later time, but
then must leave the study. The link to the form is https://www.ctsu.org/HIPAA/
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CTSU data is maintained in a secure
database.
The following are in place as Management Controls:
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Disaster Recovery Plan
· Interconnection Security Agreement
The following are in place as Technical controls for CTSU:
· User ID and Passwords are required to login to CTSU applications
· The CTSU application is hosted within Westat Network boundaries and is protected by Westat
provided Perimeter Firewall and Intrusion Detection Systems
· SSL Encryption is enabled to access web based interfaces of CTSU modules, where necessary
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Periodic vulnerability scans for CTSU systems – both internal and external
· Incidence Response Procedures
· System and Database Audit Trails and Logs
The following are in place as Operational controls for CTSU:
· Personnel Security
· Security Training/Clearance Process for all personnel working on CTSU
· Westat Hiring and Termination Process
· Non Disclosure Agreements for all employees working on CTSU
· All employees take/review NIH CIT Security Awareness Training on an annual basis
· Physical and Environmental Protection
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· Video Surveillance of Data Center
· AC Maintenance Process
· Contingency /Disaster Recovery Plan – tested regularly (last test on 11/2/08)
· Incidence Response Procedures
· Alerts and Scans
· Identification and Authentication
· User Account Management Process
· Role based user access to systems
· Password Change Policies (in sync with CTEP-ESYS)
· Procedures for handling lost/compromised passwords
· Audit Trails
The system falls under the Privacy Act System of Records Notice 09-25-0200
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI CB CaArray
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-28
7. System Name (Align with system Item name): CaArray (Director's Challenge Toward a
Molecular Classification of Cancer)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: JJ (Jeng-Jong) Pan
10. Provide an overview of the system: caArray is an open-source, web and programmatically
accessible array data management system. caArray guides the annotation and exchange of array
data using a federated model of local installations whose results are shareable across the cancer
Biomedical Informatics Grid (caBIG™). caArray furthers translational cancer research through
acquisition, dissemination and aggregation of semantically interoperable array data to support
subsequent analysis by tools and services on and off the Grid. As array technology advances and
matures, caArray will extend its logical library of assay management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Clinical investigators/submitters are asked to provide their professional contact information in
order to further scientific collaboration and provide a point of contact for their area of
interest/research. Personal email addresses, mailing addresses and phone numbers may be
unintentionally provided by the investigator/submitter in lieu of professional information.
Personally identifiable information in the form of contact information for the clinical
investigator/submitter can be obtained from caArray on the Contacts tab once a particular
experiment is selected/accessed. This information (which is provided voluntarily by the
investigator/submitter) is shared to encourage scientific collaboration and the aggregation of
semantically interoperable array data which will allow for easier subsequent analysis.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Clinical
investigators/submitters are asked to provide their business contact information, including name,
mailing address, phone number, and e-mail address.
(2) Professional contact information is collected in order to identify the researcher and associate
the researcher with a particular experiment or other collected research information.
(3) This information does ask for PII, but investigators may unintentionally provide personal
contact information.
(4) The submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NCI will post notices on the caArray website to inform
clinical investigators/submitters of:
(1) major changes that occur to the caArray system that may affect the use/disclosure of PII in
the system;
(2) changes in the type of PII to be collected from them;
(3) any changes to how PII is used or shared.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System uses firewalls, passwords, locks, id
badges, background investigations, network monitoring and an Incident Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI CB Clinical Trials -
Bioinformatics [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4917-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): NCI-27
7. System Name (Align with system Item name): NCI CB Clinical Trials - Bioinformatics
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Patton
10. Provide an overview of the system: The Cancer Centralized Clinical Data System (C3DS)
is leading the National Cancer Institute's (NCI) effort to create and distribute information
technology infrastructure to support the conduct all aspects of NCI's supported clinical trials.
Public Health Act, Title 42, Chapter 6A, Subchapter III, Part C, Subpart 1, Sec. 285, Sec. 285A
And 44 U.S.C. 3101
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII data is limited to the doctors and nurses specifically linked to that study.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: PII includes patient initials,
DOB, Medical Notes and Medical Record Numbers. The C3D will collect clinical trial data for
efficacy analysis and safety monitoring. Clinical Centers collect the data that is stored in C3D
voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Notification and consent for individuals is covered
under the Privacy Policy provided on the site. All NCICB websites contain a Privacy Preference
statement which enables NCICB to express its privacy practices in a standard format that can be
retrieved automatically and interpreted easily by user agents to automate decision-making based
on these practices when appropriate
Notices of consent is provided via an electronic notice. (in both machine- and human-readable
formats).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System uses firewalls, passwords, locks, id
badges, background investigations, network monitoring and an Incident Response team. This
system falls under the Privacy Act System of Records Notice 09-25-0200.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Central European
Renal Cell Cancer Follow-Up Study (CERCC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NA
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): NA
5. OMB Information Collection Approval Number: 0925-New
6. Other Identifying Number(s): CAS 10420
7. System Name (Align with system Item name): NIH NCI Central European Renal Cell
Cancer Follow-Up Study (CERCC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lee E Moore
10. Provide an overview of the system: In addition to publications of benefit to the scientific
community, data collected will be used to assess the 5-year survival status of kidney cancer
patients that had participated in a case-control study to assess the prevalence of recurrent disease
and progression, and to investigate patient, tumor and genetic determinants of survival in cases.
This information will be used to identify prognostic indicators of survival that will be used to
identify determinants of high-risk patients in effort to reduce disease mortality. The information
will be collected in the study centers by PIs and questionnaires and abstraction forms will be
immediately coded with a personal identification number before questionnaires are sent to the
International Agency for Research on Cancer in Lyon France. Here they will be made into an
electrnoic format and forwarded to the NCI. All disks will be mailed and require a password that
will be given by phone in order to open the coded files. Information that will be collected will
include patient related factors (age, sex, tobacco usage), tumor related factors (anatomic site,
histology, disease staging, tumor size, extension) and treatment related factors (surgery,
radiotherapy, chemotherapy, resection margins). Biologic prognostic characteristics of kidney
cancer subsets will be measured and correlated with mortality to identify predictive indicators of
disease outcome. The four outcomes we intend to evaluate specifically include; 1) Renal Cell
Carcinoma (RCC) death, 2) Alive at 5-years with disease recurrence (same clinical stage or
disease independent of primary tumor), 3) Alive at 5-years with disease progression (disease
presents at higher clinical stage than primary diagnosis), and 4) Censored (alive at 5-years, lost
to follow-up, or died of other causes). As in the case-control study, physicians and experienced
medical staff will be employed to abstract hospital records, pathology reports, and treatment
information on coded forms that do not contain personal idenfying inforamtion. After we
distinguish the types of follow-up protocols used and procedures followed in each country, we
will develop a definition of those cases confirmed to be disease-free (using high-confidence
methods, i.e. CT, PET, laboratory methods other), and patients for whom follow-up was not
confirmed, incomplete, or undetermined (“low confidence confirmation”) so that we can stratify
by this variable and conduct restricted analyses. We plan to collect information on methods used
to evaluate disease status. Treatment variables will be grouped into broad categories and will be
used as adjustment variables. Lastly, we will initiate follow-up at date of diagnosis and collect
survival at 5-years, controlling for treatment and perhaps with time dependent co-variables for
treatment duration as needed. We will not discount any time during cancer treatment towards
survival as this could make more advanced cases with longer treatment duration incorrectly
appear to have a longer disease-free survival.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency will collect
information as variables that is coded with a personal subject ID code that will inform us of the
survival status of individuals who had previously participated in a case-control study of kidney
cancer conducted in central Europe. This information includes date of death, cause of death, and
date of last follow-up in a hospital by a physician. We will also receive information regarding
the stage and grade of the cases tumor if they recurred or progressed. We will also receive in a
coded manner information on the type of surgical and medical treatment procedures used to treat
primary disease.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This work will be conducted in the study centers in
Central europe and we will not be involved nor have access to any material with names of cases.
Briefly, once individuals have agreed to participate at each center, cases and next-of-kin to cases
will be given a paper consent form to sign by the study center Principal Investigator. This form
informs them of the procedures involved in the study, tells them about the questionnaire and how
this follow-up study related to the original study, states that there will be no compensation or
payment for completion of the questionniare, described the potential discomfort, risks, and
benefits. It also assures the patient or next-of-kin of confidentiality of the information collected
at each study center, of their rights as a participant, and certifies that they have read the form,
and whether they agree (yes/no) to participate in the interview, and whether they agree for us to
access their hospital records.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII will never be on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Central Institutional
Review Board (CIRB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Requested
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): SORN 09-25-0200
5. OMB Information Collection Approval Number: Requested
6. Other Identifying Number(s): NCI Control No. N02CM-2008-00010
7. System Name (Align with system Item name): NIH NCI Central Institutional Review
Board (CIRB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Montello
10. Provide an overview of the system: The overall purpose of the NCI CIRB data systems is
to provide comprehensive informatics support for a centralized process of facilitating
Institutional Review Board (IRB) activities for National Cancer Institute (NCI) Cooperative
Group clinical trials. The NCI CIRB data systems is comprised of 3 modules and fulfills multiple
functions: 1) to enroll local sites with their contacts and track their local IRBs, 2) to manage
study-related documents and other information, 3) to convey study and board review information
to sites and collect from sites facilitated review acceptance forms via the web, 4) to track and
report on CIRB help desk issues, and 5) to track and report on board membership attendance and
management of board member reimbursement.
The three modules are comprised of the Membership Attendance and Tracking (MAT) internal
database, and CIRB HelpDesk Application internal database (CHAD) maintained by EMMES;
the CIRB Enrollment System (CES), CIRB Website hosted by CTIS; and, IRBManager web-
based application hosted by BEC.
Information is sent from IRBManager to the CIRB oracle database which serves as the backend
of the CIRB website. The MAT and CHAD databases are internal systems used for operations
and do not exchange information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IRB Manager and CIRB Web Site, both of which are modules of the CIRB system, exchange
study information and related documents. The CIRB web site includes both password-protected
and publicly available sections. Some of the information exchanged is also publicly available
elsewhere. This system falls under the guidelines of Privacy Act System of Records Notice 09-
25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c,
289a, 289c, and 44 U.S.C. 3101.), CFR Title 45 Part 46 (Protection of Human Subjects), and
CFR Title 21 Part 50 (Protection of Human Subjects) and Part 56 (Institutional Review Boards).
The types of data used are both scientific and administrative and used to inform board members
concerning the studies under review, manage the operations and communications of Adult and
Pediatric Central Institutional Review Boards, and convey information to sites concerning
studies reviewed by the CIRB and decisions made by the CIRB.
The CIRB Operations Office staff routinely generates standard and ad-hoc reports, including
quality control metrics that display CIRB information concerning studies, Boards, local sites,
local site IRBs, and Operations Office activities.
Personal information provided by Board members is provided as part of their voluntary service
to the CIRB and the NCI. Names and contact information provided by contacts at the local sites
and IRBs is provided by site representatives on a voluntary basis but required for effective
participation of their site in the CIRB Initiative.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The CIRB collects IIF from Board members and local
sites using forms that may be completed as hard or electronic copies and mailed or emailed to the
Operations Office for data entry. Board members and site representatives are aware of the
purposes for which their contact information will be used. Privacy statement is available
electronically and additional privacy statement information is shared during enrollment
application process.
Changes to CIRB processes, including development, utilization, or revision of CIRB information
systems and using or sharing of data, are subject to review and approval by an NCI Project
Officer. IT Change Management processes are in place at the respective contractor or
subcontractor.
Users that access the systems must reregister on an annual basis and any changes would be
communicated through that process.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CIRB data is maintained in secure
databases.
The following are in place as Management Controls:
· Login Banners
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Disaster Recovery Plan
The following are in place as Technical controls for CIRB:
· Network security via User ID and Password login
· User ID and Passwords required to login to CIRB applications
· The CIRB applications are hosted within Network boundaries and protected by Perimeter
Firewall and Intrusion Detection
· SSL Encryption is enabled for access to web based interfaces of CIRB modules, where
necessary
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Periodic scans for CIRB systems – both internal and external
· Incidence Response Procedures
· System and Database Audit Trails and Logs
The following are in place as Operational controls for CIRB:
· Personnel Security
· Security Clearance Process for designated contractor and subcontractor personnel working
on CIRB
· Contractor and Subcontractor Hiring and Termination Process (NIH suitability
investigations for key personnel)
· NIH Non-Disclosure Agreement for all contractor and subcontractor employees working on
CIRB
· Annual requirement for all employees to take/review NIH CIT Security Awareness
Training
· Physical and Environmental Protection (including individualized door entry cards and
photo ID)
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· Video Surveillance of Data Center
· AC Maintenance Process
· Contingency / Disaster Recovery Plan
· Incidence Response Procedures
· Alerts and Scans
· Identification and Authentication
· User Account Management Process
· Role based user access to systems
· Password Change Policies (for systems per NIH requirements)
· Procedures for handling lost/compromised passwords
· Audit Trails
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Data System
Web
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Clinical Data System Web
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jose Galvez
10. Provide an overview of the system: CDSWeb is proprietary software used by NCI clinical
trial sites to report clinical trial administrative data, accrual and adverse events. Users of the
CDSWeb system enter study administrative data, participant demographics data and optionally,
adverse event data. This data can be entered throughout the course of the study but must be
submitted at the end of each quarter. Once the data is processed and accepted by CTEP-ESYS,
the finalized dataset is stored in the CTEP database, which is a system separate from CDSWeb.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The data collected is
basic demographic data, treatment course data and adverse event data. The data is de-identified
and does not contain PII.
2) This data is collected to monitor, evaluate and administer clinical trials.
3) CDS Web does not contain any PII.
4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) N/A
2) N/A
3) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Trials
Monitoring Service (CTMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: In Process
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Clinical Trials Monitoring Service
(CTMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gary L. Smith
10. Provide an overview of the system: The Clinical Trials Monitoring Service assists the
Cancer Therapy Evaluation Program in fulfilling it’s responsibilities to the FDA by providing:
1). a centralized protocol patient data capture and quality control review system for clinical
investigators conducting phase 0, phase 1 and selected phase 2 clinical trials. 2). an on-site
auditing resource for phase 0, 1 and selected phase 2 clinical trials 3). a mechanism for assuring
compliance with Clinical Trials Monitoring Branch (CTMB) Guidelines for Monitoring Clinical
Trials for Cooperative Groups, Community Clinical Oncology Program, and Cancer Trials
Support Unit via a co-site visitation process. 4). The DCTD that Cancer Centers and single
institutions participating in clinical trials utilizing DCTD sponsored IND agents/funds are in
compliance with federal regulations, and NCI policies and procedures. 5). A mechanism to
provide administrative and audit support to international groups/institutions collaborating with
DCTD to ensure compliance with Good Clinical Practices.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
CTMS shares data with DCTD for oversight and monitoring of clinical trials. Data from CTMS
is downloaded into the Clinical Data System, a component of the CTEP-ESYS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CTMS collects contact
information of investigators or research staff for the purpose of correspondence related to the
conduct of NCI sponsored clinical trials. Most of the information that CTMS collects is non-IIF ,
and is publicly available elsewhere. CTMS doesn’t require or collect IIF from investigators or
research staff, but they may submit IIF unintentionally (such as home address, personal email
accounts, etc.).
CTMS does collect patient information related to birth date (mm/dd/yy). This information is
needed to ensure protocol eligibility requirements are met. Collection of any IIF related to
patients participating in NCI sponsored clinical trials that CTMS may inadvertently receive in
paper format is not accepted at CTMS and is returned to the institution to be redacted to ensure
patient privacy and confidentiality. CTMS stores patient data in de-identified format.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) CTMS collects protocol patient data. All the data is de-
identified and would not fall into the category of IIF. If IIF is accidentally submitted, which
rarely occurs, it is CTMS policy to return it to the submitting institution for de-identification.
The only data item that may be considered IIF is the patient’s/participant’s birthdate. This data
element is used (particularly for pediatric patients) to ensure that protocol specified eligibility
criteria relating to age restrictions are adhered to. Patients/participants are informed and sign an
informed consent acknowledging that data will be collected as part of their participation in a
clinical trial. The data is collected at the research institution (covered entity) and transmitted via
electronic data capture system, to CTMS.
CTMS collects information on NCI Investigators in order to perform their responsibilities for
oversight and monitoring of clinical trials. The information includes investigator name, address,
email address and telephone number. This information is often collected through other CTEP
systems, such as Investigator Registration System Filing System or CTEP-ESYS and transmitted
to CTMS. Investigators are aware of the need to collect such data as part of the 1572 process
required for all investigators. The information is used for correspondence purposes,
reimbursement of outside physicians participating in Cancer Center Site Visits, and other
activities in carrying out CTMS’s mission. This data is used for internal administrative purposes
only such as site visit attendance, travel arrangements, hotel bookings and follow-up
correspondence with the specific individual. It is not released to any outside entity.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CTMS data is maintained in a secure
database.
The following are in place as Administrative Controls:
· Personnel Security
· Background Investigation Process for all personnel working on CTMS
· CTMS Hiring and Termination Process
· Theradex Non-Disclosure Agreement for all CTMS employees working on CTMS
· Annual requirement by employee to take NIH CIT Security Awareness Training
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Contingency /Disaster Recovery Plan
· Incident Report Procedures
The following are in place as Technical controls for CTMS:
· Identification and Authentication
· User Account Management Process
· Role based user access to systems
· Password Change Policies
· Procedures for handling lost/compromised passwords
· Audit Trails
· The CTMS application is hosted within Theradex Network boundaries and is protected by
Theradex-provided Perimeter Firewall and Intrusion Detection Systems
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Incidence Response Procedures
· System and Database Audit Trails and Logs
The following are in place as Physical controls for CTMS:
· Physical and Environmental Protection
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· AC Maintenance Process
· Alerts and Scans
· Back-up Generator
· Alarmed Server Room
· Limited access Server Room
· Isolated Servers
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Consortia Data
Transfer Website (CDT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI Consortia Data Transfer Website
(CDT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is
alternate POC)
10. Provide an overview of the system: The DCP Consortia Clinical Data Transfer (CDT)
Website is an Internet web portal that provides DCP and Consortia clinical data management
staff with access to study-specific SAS datasets and reports of clinical data entered in DCP OC-
RDC. It also provides a platform to publish any network announcements and/or updates
regarding DCP Consortia clinical data management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF is present in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Type of data available in
CDT include adverse events, agent information, discrepancies reports and Non-IIF participant
level data. The CDT Website is designed for the users from seven different clinical sites as well
as DCP and Westat. Each site has an individual user content area from which the approved users
can access and download the study-specific datasets and reports and view user profiles.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is present in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is present in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Continuation of
Follow-up of Des-exposed Cohorts - IMS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: Clinical exemption applied for, no ID
number assigned yet
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Continuation of Follow-up of DES-exposed
Cohorts
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Robert Hoover
10. Provide an overview of the system: The National Cancer Institute (NCI) Combined DES
Cohorts Follow-up Study is a nationwide research study following more than 21,000 women and
men to learn as much as possible about the long-term health effects of DES exposure. The NCI
study is the largest ongoing research study on long-term health and DES exposure. Five research
centers in the United States carry out the DES Follow-up Study, coordinated by NCI. Leaders in
DES research and education are responsible for the study and are dedicated to increasing
scientific and medical knowledge about DES exposure. The research team includes physicians,
epidemiologists, researchers, and DES advocates and educators.
IMS provides data management and analytical support for the DES followup . The support
includes statistical analysis, creation and manipulation of analysis files, graphics generation, and
reporting for analytical projects. The tasks covered under this PIA include:
· Assist in the design of statistical analyses and reports.
· Design and create analysis files.
· Program analyses using SAS software.
· Quality Control of data and reports.
. Document the data elements and project requirements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
DES Study Center Principal Investigators can view the data for research purposes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The PII collected and stored
in the system may include:
· Date of Birth
· Date of Death
· Date of Last Contact
· Vital Status
· Gender
· Cancer Diagnosis
The data are used to investigate the relationship between DES exposure and health outcomes.
Collection of this information is a voluntary process, as part of the study followup. This
information will be used for analysis and reporting purposes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) For this study, completing a questionnaire is voluntary.
They have the option to refuse participation or complete the questionnaire. If medical records or
tissue slides are necessary for disease confirmation, participants are sent a consent form with a
written explanation of the purpose of the additional data. For the questionnaire, options are
provided to refuse to participate in a single follow-up or to decline all future participation.
Participants can contact study centers via phone, mail, or email, and through these contact
options, participants can ask the study sites to have their data expunged from the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII will be secured in a similar fashion
to that of other data stored in the system. Briefly, security measures include:
System Monitoring
Automated audit trails are monitored on all server-based systems deployed at IMS. Audit records
and server logs will be reviewed daily for anomalies. An automated reporting tool will be used
to analyze the server logs to look for abnormal activity. Automated audit trails also play an
important part in governing the access granted to users outside the Contractor’s Local Area
Network (LAN). A firewall is in place that logs all incoming and outgoing connections to the
LAN. This includes connections to the UNIX/Linux workstations and the Windows servers. This
log will be maintain and checked for evidence of attempted unauthorized access to the
Contractor’s LAN.
Computer Center Administrative and Physical Safeguards
IMS’ Standard Operating Procedure (SOP) for Computer Resource Security details the standards
and processes used to ensure the security of the computer resources and data. All IMS employees
will be required to read and follow this SOP.
IMS’ computer center has facilities in Silver Spring, MD and in Sterling, VA. The Sterling,
Virginia site will be used for production services that require 24/7 accessibility. This site has
personnel on site 24-hours a day in a facility that requires a key card and fingerprint for access.
The facility also provides protection against fire and flood with highly sensitive monitoring
equipment. Generators are available to provide continuous electricity in case of a main power
failure.
The Silver Spring computer center is in a separate office with a key coded access lock. Each
person authorized to access the computer center has a personal ID and password that must be
entered each time the door is opened. A log of any attempt to enter the computer center is
maintained. This log is routinely reviewed to identify any potential security risks. Visitors are
never allowed into the computer center at either site. Maintenance and repair personnel will be
escorted into the computer room and then monitored until all work is complete.
IMS employs firewalls with Intrusion Detection capabilities to secure the network perimeter.
The firewalls are continually monitored. Reports are distributed to authorized administrators
twice daily for their review. Computer center staff performs weekly security checks using
Security Auditor's Research Assistant (SARA), a third generation UNIX-based security analysis
tool. IMS routinely reviews the security check results and rectifies any identified potential
security vulnerabilities.
Registration of authorized users on IMS’ Network is controlled by the IMS system administrator.
To enter the network, the user must have an authorized user ID and a password which must be
changed every 60 days. Network privileges are established which set access rights and
restrictions to network resources. Access privileges to sensitive data and operating systems
within the network is controlled by user ID. Authorized users have specific levels of access,
such as "read only" or "read and write".
Use and disclosure policy
As part of IMS’ employee orientation, each new employee reviews an overview of security
policies and guidelines for IMS. Each new employee is required to sign a confidentiality
agreement and complete the on-line NIH computer security and privacy awareness training
courses. The confidentiality agreement requires that no data be released without the written
authorization of the owner. In addition, the on-line NIH computer security refresher course will
be completed annually by all employees.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Continuation of
Follow-up of DES-exposed Cohorts - Westat
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): SORN 09-25-0200
5. OMB Information Collection Approval Number: Clinical Exemption-02-01-04
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH DES Follow-up Study Coordinating
Center Management Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Robert Hoover
10. Provide an overview of the system: The DES Follow-up Study Coordinating Center
Management System maintains participant information to support activities conducted for the
Principal Investigators and staff at the study centers. Support activities include tracking the
receipt of data collection forms during Follow-Ups, coordinating the review of pathology slides,
coordinating submittals for National Death Index searches, coding of medical records and death
certificates, receiving results from cancer registry searches, providing study status reports, and
monitoring data for quality control.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII is disclosed to the National Center for Health Statistics (NCHS) for National Death Index
(NDI) searches .
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Participants provided their
name, mailing address, phone number, date of birth, and social security number to the specific
study center which enrolled the participant. Participants may also provide to the study centers
race, ethnicity, email addresses and updates to addresses and phone numbers during follow-ups
or when contacted for other reasons. PII was voluntarily provided by participants after study
consents were signed. Names and contact information are maintained by the individual study
site which enrolled the participant and this PII is not disseminated to the other study sites. The
study sites may send PII to the coordinating center for a specific purpose (e.g., a NDI search.)
The coordinating center destroys contact information after the task is completed. Participants
can decline future participation at anytime through phone calls, emails or letters to the study
centers.
PII is disclosed to the NCHS for a NDI search.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Participants signed Consent Forms upon enrollment and
if contacted for a Follow-up they are given a written explanation of the purpose of the follow-up.
Providing any information is voluntary for this study. Options are provided to refuse to
participate in a single follow-up or to decline all future participation. Participants can contact the
study centers via phone, mail, or email to decline participation.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The following classes of controls are in
place to protect the participant PII: access control including user account management, access
enforcement, password strength, least privilege concept, session termination; security awareness
and training; audit and accountability; configuration management; contingency planning;
identification and authentication for users, devices; incident response including training, testing,
monitoring; timely and controlled maintenance; media protection; physical and environment
controls such as id badges, physical access authorization using access cards and keyed locks for
building and room entry, monitoring, visitor control, emergency power, and shutoff, disaster
protection and recovery; system security plan; personnel security; rules of behavior; risk
assessment planning, monitoring, update; technical and communication protection including
denial of service protection; boundary protection, programmable firewalls, establishment of
network zones with varying levels of restrictions; transmission integrity; security certificates,
encryption, regular virus detection and monitoring; policies and procedures are in place for each
control class.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCP Collaboration
Repository (DCPCR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI DCP Collaboration Repository
(DCPCR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is
alternate POC)
10. Provide an overview of the system: The DCPCR provides the means for DCP and its
contractors to centralize the management of project collateral. It serves as a single point of access
from which DCP and its contractors can obtain and share timely and accurate DCP enterprise
information in an organized environment. Documents are posted to topic-specific content areas
to which user access is authorized by DCP based on user role/function within DCP or a DCP
contractor organization.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
DCPCR information is shared with the Food and Drug Administration (FDA) to fulfill regulatory
requirements. However the FDA does not interface directly with DCPCR. The IIF is under SOR
09-25-0200 Clinical, Basic, and Population-based Research Studies of the National Institutes of
Health (NIH), HHS
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: DCP collects researcher's
name, date of birth, mailing address, phone numbers, financial information, education records
and military status in order to identify, review and approve individuals to conduct NCI DCP
clinical trials.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Personally Identifiable information (PII) is provided to
fulfill regulatory requirements and is for internal DCP use only.
Investigators provide PII using the FDA 1572 form and required supporting documentations
(e.g., CV, financial disclosures, medical licenses, etc…). The 1572 form is signed and
submitted by the investigator with the understanding that DCP will use and disclose PII
information as needed to fulfill its regulatory requirements.
FDA tasks DCP with maintaining these documents to fulfill responsibilities as sponsor of clinical
research trials.
Investigators can withdraw the consent provided by the 1572 but then they can no longer
participate in the study. As FDA, no investigator may participate in an investigation until he/she
provides the sponsor with a completed, signed Statement of Investigator, Form FDA 1572 (21
CFR 312.53(c)).
Changes are communicated at the time they are identified per DCP SOPs.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls includes SOPs,
policies and guidelines. Technical controls includes user identifiction and authentication, an
Intrusion Detection System, logon warning banners, the concepts of least privilege and firewalls.
Physical controls include server room, proximity card entry, an automatic fire suppression
system and surveillance video. This system falls under System of Records Notice 09-25-0200.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI DEA General Support
System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Division of Extramural Activities
(DEA) General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Greg Fischetti
10. Provide an overview of the system: The NIH NCI DEA General Support System provides
multiple applications for DEA and NCI staff which support the business processes involved with
the referral and review of contract proposals and grant applications, concept tracking and
reporting for the Board of Scientific Advisors, management of the National Cancer Advisory
Board, and coordination of the National Advisory Act by the Committee Management Office.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIH NCI DEA General
Support System provides multiple applications for DEA and NCI staff which support the
business processes involved with the referral and review of contract proposals and grant
applications, concept tracking and reporting for the Board of Scientific Advisors, management of
the National Cancer Advisory Board, and coordination of the National Advisory Act by the
Committee Management Office.
BSA: Concept/Program/Funding Opportunity meta data and approvals
CATS: Workflow and Concept meta data
CI: Offeror Name, Org. Evaluation Criteria, Meeting data
DOCS: Meeting Roster including names, degrees, grant applications, staff phone & email,
standard per diem raters
ES: NCI staff Name, userId, title, org., office, phone, fax, email, classes, course attendance
FOAE: Workflow and FOA data
FOAR: FOA data, Application data, Application funding data
GL: Dictionary terms
IRG: Application data, Review recommendations and scoring
PC: Grants and contracts are coded by NCI staff to allow categorization of research dollars. The
information about Principal Investigators is their person ID, name, and degree.
PRS: Meeting data, meeting roster, application data, review scores
REVCD: Application data, meeting data, meeting roster, FOA data, review guidelines, summary
statements, application supplemental material, conflict of interest data
RPDU: Application data, PI name and institution, application
The DEA GSS processes only federal contact data. No PII is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A - No PII In the System.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Early Detection
Research Network (EDRN)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Early Detection Research Network
(EDRN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christos Patriotis
10. Provide an overview of the system: Public face of EDRN, a project of the Cancer
Biomarkers Research Group of the Division of Cancer Prevention of the National Cancer
Institute. The EDRN site provides information for the general public and prospective members
about EDRN research, cancer detection, and funding opportunities. EDRN members may log in
to gain further information including science data and information on unreleased biomarkers.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII in the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Federal contact data is
solely contained within the system and is generally available elsewhere through other
applications and channels (such as institution/university staff directory). The purpose of
repeating such information within the application is to simplify accessibility for EDRN research
partners. There is no information gathered from the public. There is no public PII in the system.
Submission is entirely voluntary. Information includes EDRN member name, job title, work
email address, departmental home page URL, institution mailing address, institution telephone
and fax number, and institution online directory photograph.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system. Authorized personnel
have physical access to server but may only access hardware. Digital information restricted to
internal hard drives.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI e-Grants/web-Grants
(e-Grants)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4930-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-38
7. System Name (Align with system Item name): NCI e-Grants/web-Grants
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Jones
10. Provide an overview of the system: The eGrants/web-Gran-ts provides online access over
the web to the official grant files including the ability to search for particular grants or
documents.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The name and contact information is shared with the NIH IMPACII system. Other information
is not shared. Sharing is done in accordance with SOR 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Authority for collection of
this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR
Subpart 15.3 and Subpart 42.15. IIF contained in this system consists of the following
information about grantees: name, social security number, mailing address, telephone number,
financial information, e-mail address, education records, and a notice of grant award. This is
information is maintained as part of the grants management system. The majority of this
information is not shared outside of NCI. The name and contact information is shared with the
NIH IMPAC II system. Information is submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no process in place to notify individuals in the
event of major changes to system.
The grantees submit their information voluntarily and are made aware that it will be used in the
grant funding process.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Employee Database
Internet Edition
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bob Barber
10. Provide an overview of the system: EDie is a web-based application that allows institutes
to accurately maintain individual employee, contractor, and volunteer information, as well as
plan for, monitor, and report on workforce staffing levels.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior administrative use only and will not be shared with
other entities. Refer to SORN 09-90-0018.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie is a web-based
application that allows institutes to accurately maintain individual employee, contractor, and
volunteer information, as well as plan for, monitor, and report on workforce staffing levels. All
information collected is pertinent to a personnel file and represents only federal contact data. The
EDie system does contain PII data as described in question 17 of the PIA. There are many uses
for this information: (a) tracking a time-limited appointment to ensure renewals are done in a
timely manner thereby avoiding any break in service; (b) ensuring that allocated FTE ceilings are
maintained; (c) ensuring salary equality for various hiring mechanisms; (d) the ability to provide
reports requested by the NIH Director; (e) maintaining lists of non FTEs, special volunteers,
contractors, etc. Information is mandatory at time of hire.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is collected from documents provided by
employees (CV, resumes, etc.) at the time of appointment; it is provided in personnel packages
submitted through channels in order to effect a hire. This information is put into Capital HR and
Fellowship Payment System (FPS) and subsequently downloaded into EDie. Individuals are
notified of the collection and use of data as a part of the hiring process. Changes to the system or
use of the information is relayed to employees via official notices from HR and the system
owner.
1) N/A: EDie is not the point of original collection of this data.
2) EDie is a reporting system which inherits PII data from other official HR systems. Currently,
no users have access to SSN, DOB, Home address thru the EDie application.
3) We do not expect any significant changes to the system functions related to PII; If this
happens, HR and the system owners will notify all affected employees electronically (e-mail).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to sensitive data fields is limited on
need to know basis. Each user signs a security statement and received a password. Any
violations result in loss of access to system. Information is also secured by separation of duties,
and intrusion detection system, firewalls, locks and background investigations. A
comprehensive IRT capability is also maintained. This systems falls under System of Records
Notice 09-90-0018.
EDie employs access control policies (NIHNet single sign-on) and access enforcement
mechanisms (access control lists) for authentication. Additionally, access enforcement
mechanisms are employed at the application level in the form of user assigned groups to further
increase security within EDie. Each group has different access privileges. Access can be
restricted by content and organization.
From a Physical Access perspective, the Executive Boulevard building is accessible to the public
during regular business hours. There is one security guard on duty during regular business hours
(8:00 AM -6:00 PM weekdays). The guard is retained by NCI to make frequent foot patrols of
the entire building and surrounding areas (including the basement and garage), and one security
guard desk at the entrance to the building. Due to the shared roles of offices housed in the
building, it is not possible to verify that all NIH visitors to NCI offices have a proper NIH ID
badge, or to require non-NIH visitors to sign a visitor log and be escorted. There is an
administrative assistant stationed inside the front door of the NCI offices during regular business
hours.
There is a guard on patrol duty through midnight on weekdays. Access to the building and
elevators is restricted by access card on nights and weekends. Cardkeys, cipher locks, and/or
keys are required for access to the NCI suites, the computer room, and rooms containing
communications equipment. Access to the computer room and rooms containing
communications equipment is limited to a small number of personnel.
Departing employees and contractors are required to turn in their identification badges, cardkeys,
and keys as part of the exit process. NCI Administrative Officer is responsible for the control and
return of keys and the reporting of stolen keys. NCI Cardkey Coordinators are responsible for the
control and return of cardkeys and the reporting of lost/stolen cardkeys.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Enterprise Services
and Clinical Trials Reporting Program
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0600
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCI Clinical Trials Reporting Program
(CTRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jose Glavez, MD
10. Provide an overview of the system: The Clinical Trials Reporting Program (CTRP) is a
web-based program to submit data about cancer-related clinical trials and to search for data
concerning cancer-related clinical trials. The CTRP system is an electronic resource that is
intended to serve as a single, definitive source of information about all NCI-supported clinical
research. Deployment of this resource will allow the NCI to consolidate reporting, aggregate
information and reduce redundant submissions. Information will be submitted by clinical
research coordinators as designees of clinical investigators who conduct NCI-supported clinical
research.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Only designated, appropriate NCI program and administrative employee and contractor staff will
have full access to the data within the CTRP Database for purposes of portfolio management and
compliance with regulatory and administrative reporting obligations. Access will be limited to
those with a direct need to access the data. Access will be granted to non-Federal staff under a
non-disclosure agreement and staff will be given mandatory privacy and security training
Individual submitters to the CTRP Database will have full access to information they have
submitted.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Clinical investigators are
requested to provide their professional contact information, including name, business mailing
address, business phone numbers, and business e-mail address. In addition, clinical investigators
and/or study coordinators are requested to provide the following elements for study subject
accrual information:
• submission title
• submission cut-off date (MM/DD/YYYY)
• description
• study subject ID
• study subject birth date (MM/YYYY)
• study subject gender
• study subject race
• study subject ethnicity
• study subject zip code
• study subject country
• registration date (MM/DD/YYYY)
• study subject method of payment
• disease
• participating site name
(2) The information is collected for purposes of portfolio management, compliance with
regulatory and administrative reporting obligations and appropriate dissemination of cancer
research information to the public. The information will be made available to designated,
appropriate NCI employee and contractor staff for purposes of portfolio management and
compliance with regulatory and administrative reporting obligations. Access will be limited to
designated, appropriate NCI employee and contractor staff with a direct need to access the data.
Access to PII will be limited to designated, appropriate NCI employee and contractor staff with a
direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure
agreement and staff will be given mandatory privacy and security training.
(3) The information contains the following PII: study subject birth date (MM/YYYY), study
subject gender, study subject race, study subject ethnicity, and study subject zip code. Although
CTRP uses a Study Subject ID to identify an accrual record on a given study, this ID is not
linked to information concerning a study subject.
(4) Submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NCI will post written notices on the web site portal for
the CTRP system to inform clinical investigators/research coordinators of:
(1) major changes that occur to the CTRP system that affect disclosure and/or uses of PII in the
CTRP system;
(2) changes in the type of PII to be collected from study subjects; and
(3) any changes to how PII is used or shared (from current practice of making PII collected
from study subjects available only to designated, appropriate NCI employee and contractor staff
on a “need to know” basis for purposes of portfolio management and compliance with regulatory
and administrative reporting obligations).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII will be secured by management,
operational, and technical controls. Some of these controls include user identification and
authentication, the concept of least privilege, and firewalls. Infrastructure product, username and
password, annual risk assessments, background checks on administrative employees, key locks
and keycards necessary to enter server rooms.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Enterprise
Vocabulary System (EVS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4920-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-29
7. System Name (Align with system Item name): NIH NCI Enterprise Vocabulary System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gilberto Fragoso
10. Provide an overview of the system: NCI Enterprise Vocabulary Services (EVS) provides
resources and services to meet NCI needs for controlled terminology, and to facilitate the
standardization of terminology and information systems across the Institute and the larger
biomedical community.
Two key terminology resources are produced and published by EVS:
NCI Thesaurus is a reference terminology used in a growing number of NCI and other systems.
It provides rich textual and ontologic descriptions of some 50,000 key biomedical concepts.
NCI Metathesaurus is a comprehensive biomedical terminology database, connecting 2,500,000
terms from more than 50 terminologies, including some propriety vocabularies with restrictions
on their use.
EVS is a partnership between the NCI Office of Communications and the NCI Center for
Bioinformatics. It is a key component of the cancer Common Ontologic Resource Environment
(caCORE) and the cancer Biomedical Informatics Grid (caBIG), and is used in the NCI Web
Portal and Physician Data Query (PDQ) cancer information services.
A new wiki-based component of the EVS system is being constructed to facilitate collaborative
vocabulary development with NCI partners.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The new wiki-based application allows end-users to create web pages to share with other end-
used of the system. The end-users might do this to add additional contact information that they
wish to share with other end-users, as the purpose of the wiki-based application is to foster
collaborative development of vocabularies to be served by the EVS. The professional/business
information is not observable by non-registered users of the application.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. The system collects the
end-user's email address.
2. The information is collected so that password information can be automatically sent on
request by the end-user.
3. No other PII other than the email address is required for a person to register.
4. Entering this information is mandatory for end-users of the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. Notifications will be posted on the wiki-based
applications home page, as well as advertised on a listserv. 2. The nature of the information
collected from end-users will be posted in a privacy notice on the web site, as well as 3. the use
which the EVS will make of this information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to raw data will be controlled
through file permissions, database roles and user groups. Files will be backed up regularly and
stored off site. User access with write permissions will be credentialed (username/password),
and internet access will be protected by a firewall, and encryption used where necessary (login
through https). The production servers are physically secured, in facilities operated by
NCI/CBIIT.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Environmental and
Genetic Lung Etiology (EAGLE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): NCI-80
7. System Name (Align with system Item name): NIH NCI Environmental and Genetic Lung
Etiology (EAGLE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anand Basu
10. Provide an overview of the system: Environmental and Genetic Lung Etiology (EAGLE)
is an interdisciplinary multi-center case-control study of lung cancer conducted in Milan, Italy,
designed to explore the genetic determinants both of lung cancer and smoking. The objectives of
the EAGLE study, as identified by DCEG, are as follows:
· Perform genetic profiling of study participants by 15STR markers
· Conduct analysis of gene expression in adenocarcinoma lung cancer tissue of smokers
and non-smokers
· Identify histologic characteristics of lung cancer in relation to genotype, gene expression,
somatic mutations, and smoking
· Monitor therapy efficacy and survival of lung cancer patients
· Identify lung cancer-affected siblings of cases and the unaffected siblings in the same sibs
hips
· Perform integrative analyses of the above-mentioned datasets in the context of the
epidemiological data from the study.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency voluntarily
collects from authorized Researchers, maintains, and disseminates via a strictly controlled
process to authorized researchers de-identified medical data consisting of de-identified
molecular analysis cancer data, including DNA snippets. No personal information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Global Specimen
Identification Service (GSID)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Global Specimen Identification
Service (GSID)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Ian Fore
10. Provide an overview of the system: This system provides a single point of service to other
software systems on the caBIG grid for managing Global Specimen Identifiers (GSIDs). There
is no human interface. The grid service creates GSIDs, registers them with information about the
requesting institute, verifies that GSIDs are unique (or reports the institute the GSID is
associated with), and supports a directed graph of relations between GSIDs (e.g., parent-child
relations).
No PII information can be stored, or requested, via this service.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The system generates
unique identifiers (128 bit numbers) for software connected to this service, and stores that
number, along with reference material (login information) about the institute requesting the
unique identifiers. The system does not contain Federal contact data and does not collect or store
any other organizations' or users' PII data. Information stored is the individual GSIDs, the
relation between multiple GSIDs, and the institute which requested that individual GSID
2) The individual GSIDs are stored to assure uniqueness when new GSIDs are requested. The
relations between GSIDs are stored to allow systems to retrieve relation data between specimens
(e.g., a specimen is an aliquot of another). The institute information is stored to allow for
tracking back to individual specimen repositories.
3) None of this information is PII.
4) N/A - no personal information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Health Information
National Trends Survey
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Health Information National
Trends Survey (HINTS) Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lewellyn Belber
10. Provide an overview of the system: The HINTS Web site presents data collected by the
Health Information National Trends Survey. It offers the datasets for download as well as
graphic data for use by journalists, policy-makers, and the general public. The survey has been
fielded 3 times since 2003, and includes data from over 6000 respondents. The respondents are
members of the general public, selected at random, and the survey questions have to do with how
they get health information, how well they understand that information, what they know about
the risks associated with various types of cancer, and other similar questions. The data is in
aggregate form and includes no personally identifiable information (PII). No PII is collected or
maintained by the Web site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system maintains and
disseminates aggregate survey results.
The information is made available to researchers in the form of downloadable datasets and to the
general public, as tabluar and graphical data from individual survey questions.
The information does not include PII.
Although submission of personal information is not possible though the HINTS Web site, any
survey response information provided is done so on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Health Information
National Trends Survey 4 (HINTS 4)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0538 approval pending
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NCI Health Information National
Trends Survey 4 (HINTS 4)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Terisa Davis
10. Provide an overview of the system: HINTS is a survey of the adult US population
authorized by the Public Health Services Act, Sections 411 (42 USC, 285a) and 412 (42 USC
285a-1.3). The HINTS system will collect information on people's cancer communication
practices, information preferences, risk behaviors, attitudes, and cancer knowledge. Data will be
collected via mailed paper surveys over the course of four data collection cycles. In addition, the
system may collect a name, mailing address, personal phone number, military status and
employment status.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The only provision under SORN 09-25-0200 for which disclosure is anticipated is for employees
of Westat who are working on the study and will need access to the PII in order to complete the
study. PII will not be shared with anyone outside of Westat. The routine use of records under
SORN 09-25-0200 includes the following provisions for disclosure: 1) For a research purpose
(e.g., records of tumors for cancer registries); 2) To a member of Congress; 3) To the Dept. of
Justice for litigation purposes; 4) To those working on the study (agency, contractors,
consultants, etc); 5) To Federal agencies to obtain information on morbidity and mortality
experiences; 6) Public health purposes (e.g. notifying partners of sexual disease); 7) Health
service providers for reimbursement purposes; and 8) Reporting spousal or child abuse. HINTS 4
does not collect most of these categories of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. Government
Authorization: The Public Health Services Act, Sections 411 (42 USC 285a) and 412 (42 USC
285a1.1 and 285a1.3).
2. Purpose of Collection: HINTS will allow NCI and the cancer communciations community to
refine its communication priorities, identify deficits in cancer-related population knowledge, and
develop evidence-based strategies for selecting the most effective channels to reach identified
demographic population groups, including typically underserved populations such as minorities
and persons living in poverty.
3. The information collected does contain some limited PII. The PII that will be collected
includes: name, mailing address, personal phone number, military status, and employment
status.
4. Voluntary or Manditory: Information is provided on a voluntary basis only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. No changes in disclosure or data use will be
permitted without explicit consent from each survey respondent. In the unlikely event that
permission needs to be sought, consent forms will be sent by US Postal Service to each
respondent.
2. Information about the study and data disclosure is provided to respondents in written form
along with the survey instrument. Completion and return of the survey is considered consent to
participate.
3. PII is used during the data collection period to accurately track study respondents. After the
field period, identifying information will be removed from the database and destroyed. The PII
is not shared with anyone outside of limited study staff (at Westat). Identifying information on
respondents will not be shared with NCI either during or after the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII is secured using password-protected
networks, system firewalls, and keycards/identification badges for all physical locations. Data is
maintained in a secure database. Information is secured on teh system through access controls,
personal security awareness and training, regular auditing of information and information
management processes, careful monitoring of the information system, control of changes to the
system, appropriate handling and testing of contingencies and contingency planning, ensuring
that all users are properly identified and authorized for access, and that they are aware of the
rules and acknowlege that fact, by ensuring that any incident is handled expeditiously, properly
maintaining the system and regulating the environment the system operates in, controlling media,
evaluating risks and planning for information management and information system operations,
by ensuring the system and any exchange of information is protected, by maintaining the
integrity of the system and the information stored in it, and by adhering to the requirements
established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI IMPAC II Extensions
(IMPAC II)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4904-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-1
7. System Name (Align with system Item name): NIH NCI IMPAC II Extensions (IMPAC II)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: This system extends the NIH IMPACII extramural
information to include the specifics of the NCI extramural business process of grant portfolio
management. This includes the transition from a paper business process to an electronic process
across the life cycle of an NCI sponsored grant. Comprehensive Minority Biomedical Branch
(CMBB) has been rolled into IMPAC II Extensions. CMBB provides metrics to assess the
success rate of the NCI CMBB program and to provide grantees information about other training
opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No information is shared. Disclosures permitted in SOR 09-25-0036 are not utilized.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Authority for collection of
this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR
Subpart 15.3 and Subpart 42.15. The IIF that the system captures on the public concerns only
grantees and is obtained from the NIH IMPACII system and the NIH Data Warehouse. The IIF
that the system directly collects is about individuals employed by NCI and involved in the grants
business process. IIF includes, name, work address, work phone number, and financial account
information. Information is given voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) We have a agreement with IMPAC II that describes
what data we will receive and limits how it will be used. If we need to change how it will be
used, the agreement will be renegotiated and notification and consent issues will be part of any
new agreement.
Individuals are notified and consent to the use of their information in this type of system is given
when they receive grants or are hired by the government.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, database roles, least privilege, separation of duties, an intrusion detection
system, firewalls, locks, badge access, background investigations. A comprehensive IRT
capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Inherited Bone
Marrow Failure Syndrome Study (IBMFS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: CE-02-01-04
6. Other Identifying Number(s): IBMFS
7. System Name (Align with system Item name): NIH NCI Inherited Bone Marrow Failure
Syndrome Study (IBMFS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Blanche Alter, M.D., MPH
10. Provide an overview of the system: IBMFS is an MS Access 2007 Application comprised
of a user interface and database. The study aims to identify cancer prone families before the
appearance of cancer, by virtue of their underlying genetic hematologic disease. The system
manages the data collection activities of study participants. Contact information is maintained.
Statuses for consents, clinic visits, biospecimen collections, and self-administered questionnaires
are tracked. Reports list deliquent and expected events as well as summarize study progress.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII may be shared with collaborators, the NIH clinical center investigators and the Clinical
Laboratory Improvement Amendments (CLIA) certified labs. These labs run diagnostic tests
and require the use of patient name in order to meet CLIA standards.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Name, email, home
addresses, and home phone numbers are collected for contact purposes. Date of birth, gender,
disease and affected status are collected in order to characterize the population and to use for
statistical purposes. All information collected is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This is an epidemiological study. Information is
collected over the phone, in writing and in person. Individuals must call into the study to begin
the recruitment process and therefore implied consent for the data is received. Once a participant
is deemed eligible for the study, a written consent form is mailed to them which includes
information about the storage and use of the data. Those individuals who come to the NIH
clinical center are reconsented in person. PII may be shared with collaborators, NIH clinical
center investigators and the Clinical Laboratory Improvement Amendments (CLIA) certified
labs.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The following classes of controls are in
place to protect the APS and respondent PII: access such as user account management, access
enforcement, password strength, least privilege concept, session termination, security awareness
and training, audit and accountability, configuration management, contingency planning,
identification and authentication for users and devices, incident response training, testing,
monitoring, timely and controlled maintenance, physical and environment controls such as id
badges, physical access authorization using access cards, key locks, and cipher locks for building
and room entry, monitoring, visitor control, emergency power, and shutoff, disaster protection
and recovery, system security plan, personnel security, rules of behavior, risk assessment
planning, monitoring, update, technical and communication protection including denial of
service protection, boundary protection, programmable firewalls, establishment of network zones
with varying levels of restrictions, transmission integrity, security certificates, encryption,
regular virus detection and monitoring, policies and procedures are in place for each family
control class.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI International Cancer
Research Partnership Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): International Cancer Research Partnership
(ICRP) Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Karen L. Parker
10. Provide an overview of the system: The International Cancer Research Partnership Web
site (ICRP) supports a group of governmental and nongovernmental cancer research funding
organizations with a mission of developing and implementing coding schema for cancer research
projects, which can help identify gaps in the cancer research portfolio. The Web site includes a
public internet (informational only) and an intranet component that is limited to member
organizations. The public site ONLY serves as an information Web site for members of the
public, providing information about the ICRP and its member organizations, access to their
grants portfolio (minus funding amounts), and information for cancer-funding organizations on
how to apply to the ICRP for membership. [Individuals cannot apply for membership. Member
organizations must complete an application, sign a data sharing agreement, submit their data in a
specific format, pay dues.] The intranet site includes the data provided by the approved member
organizations (including the funding data), tools to graphically analyze the data, and space for
members to share documents.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable - the system contains no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) Each member
organization will provide data about the cancer research that they fund. This information
includes the name of the member organization, type of cancer, area of research, name of the
principal investigator, institution receiving the award, institution's city, state, and country, year of
the award, and (for intranet site only) amount of funding
2) The public Web site provides all data (except for financial data) as an information service to
the public. The intranet site provides additional information sharing and data analysis among the
member organizations.
3) The system will not collect, maintain, or disseminate any PII.
4) The public Web site collects no information. Submission of the grant information described in
question 1 is mandatory for member organizations - a condition of their membership.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system will not collect, maintain, or disseminate
any PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Investigator
Registration Filing Process
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Requested
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Requested
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Cancer Therapy Evaluation
Program (CTEP) Investigator Registration Filing Process
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Charles. L. Hall, Jr.
10. Provide an overview of the system: The purpose of the CTEP Investigator Registration
Filing Process is to manually collect, store, and manage data about registered investigators who
are eligible to receive NCI supplied investigational agents from the Pharmaceutical Management
Branch (PMB) of CTEP. The data collected is stored in hardcopy format in secure filing systems
as well as secure Electronic Filing Systems operated by NCI.
CTEP contractors managing the Investigator Registration Process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is shared with the FDA and pharmaceutical companies for the purposes of
exchanging clinical trials data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected as part
of the Investigator Registration Filing Process is that contained in the following documents
collectively termed the IR packet. The information collected in the IR packet is used for the
purposes of conducting clinical research. Some of the information provided in the IR packet is
mandatory while some of it is voluntary.
1) DHHS FDA 1572 Form which collects FDA required attributes such as Investigator name,
education and training experience, name and address of medical school, hospital or research
facility where clinical investigation will be conducted, name and address of clinical laboratory
facilities to be used in the study, name and address of Institutional Review Board responsible for
review and approval, and Investigator Signature.
2) Supplemental Investigator Data Form which collects information such as Investigator name,
Degrees, NCI Investigator Number, Month and Year of Birth, Provider number, Primary
Specialties, Investigator related Training Information, Office Address for official correspondence
with the Investigator, Address for Agent shipments, Shipping and Ordering Designee
information and Investigator Signature.
3) Financial Disclosure Form which collects FDA required financial disclosure information
based on four generic questions related to the Investigator’s relationship to any pharmaceutical
company or sponsor to the extent that the investigator has received any compensation from
pharmaceutical companies, or the investigator may have any proprietary interest in any of the
studies not limited to patent, trademark or licensing, or if the investigator has any equity interest
in any pharmaceutical company or if the investigator or his/her institution has received any large
payments in the form of funds, grants or equipment from pharmaceutical companies exclusive of
the costs of supporting conducting clinical studies.
4) The Investigators are also required to submit an updated copy of their resume / CV.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NCI Investigators who wish to participate in NCI
sponsored clinical trials submit their information to CTEP Investigator Registration Process in a
signed Investigator Registration (IR) packet. This investigator registration packet, along with
additional cover letter, informs the investigators about intended purpose and usage of their
information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Policies and procedures exist to securing
and providing access to IR packet information. For the hard copies of the Investigator
Registration (IR) packet that are filed in the secure filing systems, the filing cabinets are secured
behind double locked doors with restricted access to the facilities. Only select authorized staffs
are allowed to access the hard copies. Access logs to hard copy documents are maintained.
Access to data stored in the Electronic Filing System is through password protection account.
The Server on which the Electronic Filing System is hosted is maintained in secure Key control
based facilities. Audit Trails are kept regarding the Electronic Filing System to track data access.
Since the same hard copy documents are scanned and filed into the Electronic Filing System, no
backups are maintained for the hard copy documentation. Contingency plans exist for the
Electronic Filing System. Backups of tapes are not stored offsite.
The system falls under the Privacy Act System of Records Notice 09-25-0200
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Labmatrix
(Labmatrix)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: none
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): NCI-84
7. System Name (Align with system Item name): NIH NCI Labmatrix
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jason Levine
10. Provide an overview of the system: Labmatrix is a system which allows for the tracking of
tissue and fluid specimens obtained as part of clinical and translational research, and the tracking
and collation of the results of experiments performed on those specimens. The system uses a
Microsoft SQL database for its back-end data store; data entry and reporting is performed using
either a web-based application or via custom-written applications which access the system via a
standardized API. Labmatrix incorporates a user-based system of security and data partitioning,
providing for the ability to restrict access to the system as a whole and to restrict users to the
ability to view and manipulate only the data to which they have appropriate rights. Likewise, the
security system incorporates a system-wide awareness of the idea of protected health information
(PHI), and enforces strict access to this information on a granular basis to only those system
users with both a need and the rights to know.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is shared among clinical and translational investigators who have been approved by the NIH
Institutional Review Board to collaborate on any given clinical trial, such that these individuals
can maintain accurate records of the specimens and results generated on their clinical trials. As
stated in the SORN 09-25-0200 under Routine Uses of Records Maintained in the system,
including categories of users and purposes of such uses: Disclosure may be made to agency
contractors, grantees, experts, consultants, collaborating researchers, or volunteers who have
been engaged by the agency to assist in the performance of a service related to this system of
records and who need to have access to the records in order to perform the activity. Recipients
shall be required to comply with the requirements of the Privacy Act of 1974, as amended,
pursuant to 5 U.S.C. 552a(m).
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information which will
be collected within Labmatrix will be that for which collection has been approved by the NIH
Institutional Review Board for any given clinical research trial. This generally includes both IIF
and non-IIF, such as: a subject’s name, date of birth, medical record numbers, contact
information, notes about the subject’s clinical care, records of all biological specimens obtained
from the subject during the course of participation in the clinical research trial, and results of
clinical and research tests performed on specimens obtained from the subject. Submission of this
information on the part of the subjects is voluntary, and permission is provided by trial
participants via the standard clinical trial consent process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) If and when major changes occur to the Labmatrix
system such that data is either disclosed or the use of the data changes, our standard practice
would be to inform the clinical and translational research investigators who have primary contact
with the participants in their trials, and ask them to notify the subjects and obtain any further
consents which are needed. Likewise, we rely on these investigators to obtain the initial consent
from any subjects whose IIF will be stored in Labmatrix, and expect that the IRB-approved
clinical trial consent documents will contain all relevant information about how this information
is both used and shared.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative: Labmatrix incorporates its
own list of permitted users, and restricts administrative control of the system to only those users
who are specifically granted this right within Labmatrix. Similarly, the back-end database
maintains its own list of approved administrative users, and grants administrative access and
control only to these approved users.
Technical: Labmatrix incorporates encryption of all communication that travels over any
network interface entering or leaving the system; this includes secure HTTP for all
communication with the web application, and SSL encryption of all communication using the
APIs for the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Labrador
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NCI Labrador
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William D. Figg
10. Provide an overview of the system: Labrador is a system for tracking clinical samples and
data related to the collected samples. It will be utilized by lab staff to catalog and barcode
specimens, record information about the specimen and search existing samples.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: We will collect limited
clinical and demographic data, including name, medical record number, date of birth, date of
death, date of cancer diagnosis, type of cancer, treatment protocols, drug administration, race,
gender. This data will be used, along with sample analysis results to learn about cancer
therapeutics and evaluate factors which predict therapy outcome. Data is associated with
individual sample records. Samples are only collected and entered into the system after patients
have consented to IRB approved clinical protocol. Submission of personal information is
mandatory, but enrollment in the collection protocol itself is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each patient has signed a consent form that allows
collection of this data.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI LHC-CCR-Lab
Manager for Human Studies Data
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0623
6. Other Identifying Number(s): Support Resource Contract #HHSN261201000117C/N02-
RC-2010-00117
7. System Name (Align with system Item name): LHC-CCR-LabManager for Human Studies
Data
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Elise Bowman
10. Provide an overview of the system: Using taped copies of the State's Motor Vehicle
Administration records of licensed drivers (for Baltimore City and 12 surrounding Counties) the
system identifies potential volunteers with ages, genders, races and jurisdictional locations
matching those of cancer patients in our studies. These names are then placed in an original
project-designed search engine (employing several commercial and well known engines) to
determine if the subjects have a telephone. Those that have phones are mailed letters introducing
the project and then called to ask if they will participate. If they agree to participate, they are
screened during the call for eligibility and scheduled for an in-person interview. There they are
consented with a written and signed statement of purpose and uses of their contributions and the
contractor's interviewer obtains their histories of health, social and occupational experiences and
their biological specimens for future comparison and analyses as controls for those obtained
from the cancer patients recruited using similar questionnaires and biological assay procedures.
Recruitment of all cases and population controls are performed by an NCI contract
(HHSN2612010-00117/N02-RC-2010-00117) for collection of human specimens from subjects
with epidemiological profiles currently held by the University of Maryland School of Medicine
Baltimore. These resources are used in case-control studies of cancer, making Baltimore the
center of the recruitment activity for population controls used in these studies: the Medical
School is the primary contractor and it arranges with the Baltimore Veterans Administration
Hospital to provide access to patients with the specified diseases.
Most of the patients are residents of the state and the population controls required to complete
the study designs are recruited most accurately and economically from these areas. The database
of licensed drivers offers the most efficient possibility of matching the potential controls prior to
offering the opportunity to volunteer for the studies. The alternatives of surveying the
population by telephone or personal contacts in a public setting is time-consuming, wrought with
frustration and failure, and a comparative waste of valuable manpower and funding. Even with
the advantage of the MVA database, only one in eighteen contacted agrees to participate.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosing of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system routinely
collects personal information considered PII such as names, addresses, telephone numbers, and
social security numbers. In addition, completed questionnaires will contain health, social and
occupational histories, including diseases, surgeries, smoking habits, alcohol consumption,
marriage status, parentage, jobs held, etc., and outcome of cytokine quality and quantity,
presence of normal and mutated genes, etc., in test results from donated biological specimens
(blood, serum, plasma, sputum and urine) to anaylze environmental and or genetic risk factors
when compared with results from cancer patients. Submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. We have contact information from the time of
interview and the plan is to use those data (addresses and phone numbers) to re-contact the
affected subjects and obtain a revised consent. Since we are already using the Internet search
engines to locate phone numbers during recruitment, we will use these same resources to obtain
current addresses and phone information. If they are not found using the original information,
and if we have an updated drivers' license database, we would scan that database to determine if
they appear there, have moved, or have a new phone number. Depending upon the urgency of
the need to make these contacts (as per IRB instructions), we could use Google, Facebook and
other engines to search or in a final effort, run searches on National Death Index and the Social
Security Index to determine if they are deceased.
2. Subjects are sent an introductory letter describing the studies, the need for controls and the
procedures for collecting information and biological specimens. Then they are called by
telephone, asked to participate, given a brief screener to determine their eligibility, and asked for
their choice of a time to be interviewed and to donate biospecimens. Before the interview,
subjects are given a written Informed Consent to read, ask questions about, and to sign. If they
do not sign, they cannot participate. The Consent Form describes the studies, the purpose, the
specimens and the information they are to provide and it gives a description of the uses to be
made of the information and their specimens' test results.
3. The Consent Form that the subjects sign describes the studies, the purpose, the specimens and
the information they are to provide and it gives a description of the uses to be made of the
information and their specimens' test results. Information is shared only as published
summations; analyses.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: 1. Administratively, security is established
by requiring access be granted to only the authorized with a need to know or be involved; that all
authorized persons be properly trained prior to being given any access to established, on-going
databases housing participant information, and in particular, databases with PII.
2. Technically, institutional "firewalls" and "VPN" accounts are the ultimate front line defense
against exterior intruders; internally, security is achieved by requiring all users be given unique
personal "user" identifiers or names, and unique and protected "system passwords" to access the
most vulnerable and important databases both constructed using the most recently developed and
tested techniques, for access to various system with not one of them being duplicated for use in
more than one system.
3. Physical Controls are in place that include the following protections:
a. Human guards at all major points of entry to the facility housing the system,
b. A standard requirement for pictured ID badges to be worn by all authorized personnel granted
access to the system areas;
c, All rooms containing system IT equipment are kept routinely under lock and key, with a
monitor at every main door of access to the equipment, all files, and the on-duty personnel.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI Internet Website
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-5
7. System Name (Align with system Item name): NIH NCI Internet Website -
www.cancer.gov
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jonathan Cho
10. Provide an overview of the system: This is the NCI's internet Web site. It disseminates
cancer-related information, including information on prevention, screening, diagnosis, treatment,
and survivorship. Individuals may enter their e-mail address in order to receive the NCI Cancer
Bulletin.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not share or disclose IIF. If this changes, disclosure will be done per SOR 09-25-0106
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: SEC.407 (b) (4) of the
National Cancer Act authorizes NCI to: “collect, analyze, and disseminate all data useful in the
prevention, diagnosis, and treatment of cancer, including the establishment of an international
cancer research data bank to collect, catalog, store, and disseminate insofar as feasible the results
of cancer research undertaken in any country for the use of any person involved in cancer
research in any country.” The only information collected is e-mail addresses. It is used to
disseminate the e-newsletter, theNCI Cancer Bulletin. Submission of this information is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals enter their e-mail address in order to receive
the NCI Cancer Bulletin. They are told this on the web site when they subscribe. This is
voluntary. E-mail notifications can be sent if a major change to the system is made.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI Local Network
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009 25 0200 01 3109 00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): NA
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NCI Local Network
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Eric Williams
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NA
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No Pii
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI National
Biomedical Imaging Archive [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI National Biomedical Imaging
Archive
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jonathan Lin
10. Provide an overview of the system: NBIA is a searchable repository of in vivo images that
provides the biomedical research community, industry, and academia with access to image
archives to be used in the development and validation of analytical software tools that support:
- Lesion detection and classification
- Accelerated diagnostic imaging decision
- Quantitative imaging assessment of drug response
NBIA provides access to imaging resources that will improve the use of imaging in today's
biomedical research and practice by:
- Increasing the efficiency and reproducibility of imaging cancer detection and diagnosis
- Leveraging imaging to provide an objective assessment of therapeutic response
- Ultimately enabling the development of imaging resources that will lead to improved clinical
decision support.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII is stored in NBIA
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Clinical trials, physicians
and other researchers submit images to NBIA using the CTP (Clinical Trial Processing)
software, which is loaded on a computer at their location. Images are submitted (and stored) in
the medical image standard, Digital Imaging and Communications in Medicine (DICOM). A
typical DICOM file stores a digital image along with a series of tags that contain metadata about
the image such as patient ID, study ID, patient weight, anatomic site, and so forth. As part of the
NBIA image submission process, the CTP software, prior to uploading the images to NBIA,
performs an anonymization routine to strip out any identifying metadata. Even once an image is
uploaded into NBIA, curators perform quality control on submitted images to ensure no private
patient data is available, the image is of good quality, and so forth. Any images found to contain
identifying data in the metatags are immediately deleted from NBIA, prior to being made
available via search functionality. (2) NBIA was developed to provide the biomedical research
community, industry and academia with access to image archives to be used in the development
and validation of analytical software tools that support lesion detection and classification,
accelerated diagnostic imaging decisions, and quantitative image assessment of drug response.
NBIA provides access to imaging resources that will improve the use of imaging in today's
biomedical research and practice by increasing the efficiency and reproducibility of imaging
cancer detection and diagnosis, leveraging imaging to provide an objective assessment of
therapeutic response, and ultimately enabling the development of imaging resources that will
lead to improved clinical decision support. The search interface used by researchers is also
available to the general public, should they want to use it. (3) NBIA does not contain any PII.
Both automated processes (Clinical Trial Processing software) and manual checks by quality
control staff are used to ensure that PII does not exist in any image or its metadata. (4)
Submission of DICOM images to NBIA is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII is stored in the NBIA system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII stored in the system,
however the system uses firewalls, passwords, locks, id badges, background investigations,
network monitoring and an Incident Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI New England Bladder
Cancer Study (NEB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Clinical Exemption #2009-06-001
6. Other Identifying Number(s): NEBCDS
7. System Name (Align with system Item name): New England Bladder Cancer Study
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Claudine Samanic
10. Provide an overview of the system: A secure database containing contact information for
subjects of earlier phase of New England Bladder study and next of kin; medical data collected
by the study; and, health and vital status data on study participants.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The study will collect and
maintain PII for the purpose of tracing and contacting study participants, and integrating medical
information and records into an analytic database. PII will be used to locate and contact
individuals who already participated in a study of bladder cancer, so that we can interview them
and update exposure information, and so that we can obtain medical record information about
initial treatment, recurrence of bladder cancer, disease progression, and death from bladder
cancer. We already have PII from these patients because of their participation in a previous
study. Submission of personal information was voluntary. PII will not be analyzed or
disseminated in any way, and medical and other information will be anonymized and analyzed in
aggregate. Medical and demographic data will be disassociated from IIF once tracing and data
collection end. In the analytic database that will be made available in whole or part to study
investigators, a blinded ID will identify records for individual study subjects. The study will use
analytic data to assess health outcomes of different groups of subjects and to publish disclosure-
proofed findings in scientific journals and forums.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The relevant NCI and other IRB’s that approve the
study require formal IRB notification in the event of a disclosure of IIF not approved in advance,
any changes in uses of data. The IRB’s specify what information the study may collect and how
the information may be used or shared. Only participants who provided consent and participated
in the parent case-control study will be contacted. Participants will be contacted and enrolled by
mail and telephone and verbal consent will be obtained by telephone. Participants will also be
asked to sign an Authorization to Release Medical Records form that will serve as written
informed consent for study personnel to obtain medical records.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Westat requires human subject protection
and data security training of all health studies staff members, and also requires that each
employee sign a pledge of confidentiality. The Senior System Manager monitors compliance to
these and other administrative controls. Systems containing PII and other confidential
information require user authentication (ID and password) for access. Users roles limit access to
need to know. Physical storage media (paper, disk, etc.) are being stored in locked containers or
areas, with key or card access limited to approved individuals.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Acquisitions
(OA)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): NCI-2
7. System Name (Align with system Item name): NIH NCI Office of Acquisition System
(OA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita Hughes
10. Provide an overview of the system: This system collects and maintains pre- and post-
award contract data for reporting to Department and Federal Contract Information Systems
(DCIS & FPDS-ng). The types of information include the socio-economic classification of the
contractor (small, disadvantaged, etc.) as well as information about the type of project.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The primary data collected
by the system is of a financial/budget-ary nature. Additional NIH reporting requirements
relating to each project i.e., socioeconomic classification of the contractor (e.g. small
disadvantaged business); information about the type of project, i.e. clinical trial; human subject
research; animal research; epidemiological study; is also collected. No personally identifiable
information (PII) on any individual is collected in this system. The project information collected
is required by the HHS Department Contract Information System (DCIS) which transmits the
information to the Federal Procurement Data System-Next Generation (FPDS-NG) which
provides this budget and project information to Congress.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Liaison
Activities Database (OLA)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-64
7. System Name (Align with system Item name): NIH NCI Office of Liaison Activities
Database (OLA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: The Office of Liaison Activities Database (OLA)
maintains contact information for advocacy organizations and professional societies. The system
also maintains information about individual advocates that serve the NCI through the Director’s
Consumer Liaison Group (DCLG) and the Consumer Advocates in Research and Related
Activities (CARRA) program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not share outside the agency. Disclosures permitted in SOR 09-25-0106 are not made.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislative authority is 42
U.S.C. 203, 241, 289l-1 and 44 U.S.C. 3101), and Section 301 and 493 of the Public Health
Service Act. Information is maintained for advocates that are members of the CARRA program
include membership status (active or non-active), race/ethnicity/age/gender of member,
occupation, highest educational degree earned, area of educational degree,
primary/personal/constituency cancer type, location/race/ethnicity of constituency, activity
preferences, computer skills, ability to travel, and skills/accomplishments/activities. Information
is used only within the agency. Submission of information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Notification and consent in both cases is done via e-
mail.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Oracle Clinical-
Remote Data Capture (OC-RDC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI DCP Oracle Clinical-Remote Data
Capture (OC-RDC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is
alternate POC)
10. Provide an overview of the system: OC-RDC serves as the primary database and data
management tool for the Division of Cancer Prevention (DCP) phase I and II clinical trial
portfolio. Westat the prime contractor on this project; works with the DCP Chemoprevention
Consortia Lead Orgs to develop clinical trial menus which each consortium can enter participant
enrollment data and adverse events. OC-RDC also provides DCP and Consortia Lead Orgs with
data quality management, including data discrepancies reports, audit trail, etc… OC-RDC is
DCP effort to manage and support the data collection of clinical trials conducted under our phase
I and II Chemoprevention Consortia Program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF is present in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Type of data available in
OC-RDC include protocol attributes, site information, agent information information, adverse
events, data discrepancies information, and Non-IIF participant level data. The information is
critical to for data management of DCP chemoprevention consortia clinical trials.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is present in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is present in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Oracle RightNow
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Significant System
Management Changes
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: 0925-0208
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Oracle RightNow
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The Oracle RightNow_CX houses documentation,
resources, and applications needed by the Cancer Information Service & NCI Project Office to
respond to inquiries and manage operations. Access to 3rd party and custom applications are
controlled through this site through a single sign-on via a CIS Extranet account.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII collected in the Oracle RightNow CXabout an interaction with the public may pass through
name, mailing address, and e-mail address information to the Oracle RightNow CX system for
fulfillment of publication requests. Information collected inOracle RightNow CXfor research
purposes may be sent via encrypted exports to researchers for analysis and follow-up.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Through the various access
channels (chat, e-mail, mail, and phone) clients may voluntarily provide PII and other
information including name, address, phone number, e-mail address, health information and
demographic information during the inquiry response, materials ordering, or research
participation processes. This information is only used to provide the requested services to the
client, or shared with researchers during the course of a research study. Aggregate information
that is not personally identifiable is used to describe and improve our services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individual public users of the Cancer Information
Service cannot be contacted when major changes are made to the Oracle RightNow_CX and its
applications because contact information is purged on a rolling basis every 90 days. On the
LiveHelp chat welcome page, a written privacy notice is posted letting users know the service is
anonymous and asking not to send PII during the chat. For PII collected during a phone call,
Information Specialists read a statement to clients that information provided will be kept
confidential, and research studies contain their own additional informed consent statements that
are read to clients.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Operational Control Class
Operational controls address security mechanisms that focus on methods that are primarily
implemented and executed by people (as opposed to systems). The operational control class
includes the following nine control families:
§ Awareness and Training (AT)
§ Configuration Management (CM)
§ Contingency Planning (CP)
§ Incident Response(IR)
§ Maintenance (MA)
§ Media Protection (MP)
§ Physical and Environmental Protection (PE)
§ Personnel Security (PS)
§ System and Information Integrity (SI)
Security Awareness and Training Policy and Procedures
The Corporate Information Security Policy addresses information security standards and
guidelines, including security awareness and role-based security training. The section
specifically covers information guardians, upper management, users, data custodians, hosting
security and RightNow corporate officers. Formal Security & Privacy Awareness training is
required for all existing employees with access to customer data, required for all new employees,
and for all employees on an annual basis.
Security & Privacy Awareness is performed on a continuous basis, and is a formal, standard part
of every employee’s “new employee orientation” training. All new employee training is
performed in a classroom, in-person setting, and existing employee training is performed in-
person, or via live web conference. Training records, including date of training, version of
training, name of trainer and employee, are maintained in an online system, for at least six years.
Configuration Management Policy and Procedures
RightNow has a Change and Configuration Management policy that addresses purpose, scope,
roles, and responsibilities.
A detailed flowchart of the Configuration Management procedures is included in the policy and
is automated via workflow within the JIRA application.
Contingency Planning Policy and Procedures
RightNow’s Corporate Information Security Policy specifies a general contingency planning
policy, which is further defined in the Cloud Delivery Disaster Recovery Plan. This document
formally identifies the purpose and scope of the plan, the disaster recover/contingency planning
roles and responsibilities, management commitment, coordination among organizational entities,
and compliance.
The Cloud Delivery Disaster Recovery Plan formally documents the procedures for recovering a
Pod in the event of a contingency or disaster.
Incident Response Policy and Procedures
Currently RightNow includes the incident response policy has part of RightNow Corporate
Security Policy. The policy references the RightNow Corporate Security Incident Handling Plan
for providing corporate scope, roles, and responsibilities, and procedures; and
The RightNow Corporate Security Incident Handling Plan provides the particular incident
response procedures to facilitate the implementation of incident response policy.
The CIRT at RightNow Technologies is comprised of select members of the Corporate Security
Committee. The leader of the CIRT is the Chief Information Security Officer. The CIRT leader
will determine, for each incident, which parties from the security committee are required in order
to achieve timely and effective resolution of the problem. Resources outside the security
committee may be included into the CIRT as needed. During an investigation, the central point
of contact for all issues is RightNow’s CISO. When the corporate security officer is unavailable,
another member of the security team may be designated by general counsel to handle
coordination of the incident. The designated team leader will coordinate all internal resources
and communications necessary to achieve resolution.
The corporate security office will be responsible for making sure that this policy is followed
during an incident.
System Maintenance Policy and Procedures
The RightNow Change and Configuration Management Policy addresses all changes to the
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Pathway Interaction
Database (PID)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Pathway Interaction Database
(PID)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jeffrey Buchoff, Tanja Davidsen
10. Provide an overview of the system: The Pathway Interaction Database is a highly-
structured, curated collection of information about known biomolecular interactions and key
cellular processes assembled into signaling pathways. It is a collaborative project between the
US National Cancer Institute (NCI) and Nature Publishing Group (NPG), and is an open access
online resource.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. The agency does not
collect any personal information through the system. Molecule and pathway data are entered
into the system by the programmer. Web statistics are tracked as well, which included IP
addresses and URLs.
2. The web statistics are used to determine the amount of system use.
3. The system does not contain PII.
4. No personal information is submitted.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A,
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI PLCO Research
Database (PLCO)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-59
7. System Name (Align with system Item name): NIH NCI PLCO Research Database (PLCO)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Guillermo Marquez
10. Provide an overview of the system: The system is used for monitoring, quality control, and
analysis of the PLCO trial.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This sytem is used to store
and monitor data from the participants in the PLCO and NLST prevention trials. Such data
consists of results of screening tests such as chest x-rays, serum PSA and CA-125,
sigmoisoscopy, etc. Medical history and other questionaire information is also stored. To protect
confidentially, the data in this system is referenced by a randomly assigned participant ID code
only. The actual identity of the participant is known only to the screening center at which these
tests were conducted. Since these participants are treated as clinical patients at these centers,
their true identity is considered confidential, as with any patient, and is protected in accordance
with HIPPA regulations to which all of these screening centers must adhere.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained. However, no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Portfolio
Management Application (PMA)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NCI-32
7. System Name (Align with system Item name): NIH NCI DCCPS Portfolio Management
Application (PMA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Everett Carpenter
10. Provide an overview of the system: This application is used by NCI Extramural Division
staff to manage their Research Portfolio (Grants, Contracts, Interagency Agreements)
Responding to Congressional Requests (Coding, Searching, Reporting); mass mailing, Dynamic
Dissemination of Research Portfolio on Public Web site etc
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Shared with NREP to identify and collect programs for the RTIPS application. Shared with
Input Solutions Inc. to convert Program Products for RTIPS application. Share RTIPS contact
Information with ASPEN Systems for the purpose of order fulfillment. Dissemination of
Principle Investigator name on DCCPS Public web site. Share CCPlanet contact information.
Information sharing is done in accordance with SOR 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Public Health Act, TITLE
42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C.
3101. The information is collected and reviewed by the Federal Program and DCCPS
Management Staff to provide timely information for analysis, processing and/or dissemination.
IIF collected is name, mailing address, e-mail address, and phone number. Information is
submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Change in Data Use/Shared – Individuals will be
notified via telephone or email to obtain consent.
Via the CCPlanet order form, individuals are told how the information will be used/not used and
consent is obtained by the user entering their information and executing the submit order button.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations, scheduled scan of servers and
application code. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI PRO-CTCAE
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 9-25-0200
5. OMB Information Collection Approval Number: #2010-02-001 clinical exemption
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NCI Patient-Reported Outcomes
version of the Common Terminology Criteria for Adverse Events (PRO-CTCAE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kathleen Castro
10. Provide an overview of the system: The system is used by clinicians to create, schedule,
and administer symptom surveys to study participants. The system is also used by study
participants (i.e. patients with cancer participating in cancer clinical trials) to provide responses
to these symptom surveys. The system provides the ability to notify or remind a study
participant that they have a symptom survey due.
The system provides two interfaces for study participants to respond to symptom surveys:
1. A web interface where the study participant accesses a web site, authenticates who they are
via a username and password and responds to a symptom survey via the web site. The patient
reads the questions on the screen and clicks to select the appropriate responses.
2. A phone interface where the study participant calls or is called by a phone system, and listens
to the questions on the phone and presses buttons on their phone keypad to select the appropriate
response.
The responses provided by the study participant via either the web or the telephone interface are
coded by the system, mapped to the CTCAE dictionary and saved directly and immediately to a
database. The participant responses to survey questions are not stored anywhere except in the
database. Participants may respond to the questions in either English or Spanish. The database
is housed behind the NCI firewall.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The PRO-CTCAE is used by clinicians to create, schedule and administer symptoms to study
participants. Study participant names and dates of birth are shared with clinicians to allow
preparation and administration of surveys.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The system collects and
maintains patient responses to symptom surveys. The data is not only federal contact data.
(2) The system will support investigator authoring of patient reported outcome case report
forms (CRFs) and collect cancer patient responses to questions about their health status,
symptoms, functioning and health related quality of life and integrate this information within the
NCI adverse reporting system.
(3) Yes
(4) All data provided is voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) Patients are enrolled on protocol which have been
IRB approved. Patients are provided written consent describing the PRO-CTCAE system.
Signed consent will be obtained from patients prior data entry into the system. Patients will be
notified in writing if major changes occur to the system
2) Signed consent will be obtained from participants by members of the research team, The
consent document informs the participant that study records will be kept confidential as required
by law.
3) Participants are given written consent documents which have undergone IRB approval and
are reviewed on an annual basis by the respective IRB
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: 1. User Passwords (IA-5)
The PRO-CTCAE system account management practices shall adhere to the NCI Password
Policy.
NCI Password Policy:
Users must choose passwords that have at least eight characters and include a combination of all
four of the following types of characters:
Capital letters
Lower case letters
Numeric characters
Special characters (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
2. Passwords for Clinical Staff
Clinical staff user passwords will adhere to the NCI Password Policy.
3. Telephone Interface Passwords for Study Participants
The telephone interface passwords, hereafter known as personal identification numbers or PINs,
for clinical trial participants (i.e. patients) will adhere to the following password policy:
Users must choose passwords that have exactly four numeric characters. Special characters may
not be used. Alphabetic characters which correspond to the telephone keypad may be used as a
pneumonic to aid users in recalling their PIN.
4. Procedures for changing/resetting passwords (IA-5)
The PRO-CTCAE system account management practices shall adhere to the NCI Password
Lifetime Policy.
NCI Password Lifetime Policy:
Users must change passwords at least every 60 days to one that is different from the previous 24
passwords used;
Users must change their newly assigned system passwords the first time they log on.
Minimum password lifetime is 1 day.
5. Password Changes for Clinical Staff
Clinical staff user passwords will adhere to the NCI Password Lifetime Policy.
6. Unsuccessful Login Attempts and Account Lockout Settings (AC-11)
The following is the NCI Policy regarding unsuccessful login attempts:
When the system supports it, the maximum number of invalid user attempts during a 15 minute
window is 6 (failed attempts). The account must remain locked for at least 60 minutes or until
manually reset by an authorized administrator or by using a self-registration/reset website utility.
7. System Inactivity (AC-11)
The PRO-CTCAE system policy for managing idle authenticated user sessions shall adhere to
the NCI policy.
NCI Policy:
Session lock mechanisms will be activated for user workstations and server consoles and other
systems automatically after 15-30 minutes of inactivity, when technically and operationally
feasible. Users must log out of their computers or lock their screen when they leave their desks.
8. Caching Passwords (IA-5)
The PRO-CTCAE system policy regarding caching/storing passwords shall adhere to the NCI
Policy.
NCI Policy:
Users are prohibited from caching (auto-saving) NIH or NCI system passwords on the local
system. Passwords should not be stored in websites, programs or scripts, if operationally
feasible.
The PRO-CTCAE system does not prevent users from saving their passwords using browser
enabled password saving. This policy is enforced through user compliance to the policy.
9. Separation of Duties and Least Privilege (AC-5, AC-6)
The PRO-CTCAE system supports the separation of user duties and the principles of least
privilege. Users’ access to the PRO-CTCAE system shall be assigned and restricted based on
role or function within the system, and be limited to the minimum level of access necessary to
perform the assigned duties within the system. Security related user roles will be divided
between different roles through the use of role based access control (RBAC) to the extent
feasible and practicable. Users will be assigned to groups or roles, which have appropriate
permissions and privileges pre-assigned to them. Users must be issued and must use only non-
privileged account credentials when performing non-privileged activities in the system or
application.
10. Account Management (AC-2)
The PRO-CTCAE system adheres to a hierarchical method of user account administration which
closely follows the hierarchy of responsibility employed for the conduct of the clinical tri
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Publications
Enterprise
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Publications Enterprise
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The Publications Enterprise (PE) system is used to
manage information about NCI publications; control display of publication information on
various ordering interfaces; and intake and process orders for publications. The PE system is
composed of four Web-based order interfaces; a centralized admin tool to house order and
inventory information; warehouse management system; shipping system; issue tracking system;
standard response library; reporting tool; and NCI client report Web site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII information provided by users to create an account or place a publication order are not in any
way disclosed or shared with third parties, NCI, or Lockheed Martin staff except as needed to
process orders or resolve a customer support request. Name, address, and shipping number as
needed are shared with FedEx, UPS, and USPS in order to ship requested publications.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: For purpose of order
fulfillment, name, address, e-mail, phone, and FedEx/UPS shipping number as needed are
collected and stored for 90 days before purging. An account registration option is available to
the public on the NCI Publications Locator Web site, where provided name, address, e-mail, and
phone number information is stored indefinitely and requiring user authentication to protect
account information.
Provision of PII is voluntary and only collected in order to process a user’s request for printed
publications. Users may view publications online through the order interfaces rather than place
an order and provide PII information. PII information is retained for 90 days in case there is an
issue with the shipment. After 90 days all PII data are purged unless connected to a registered
account created by the user through NCIPL. PII data provided through registration are retained
indefinitely.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII information provided by users to create an account
or place a publication order are not in any way disclosed or shared with third parties, NCI, or
Lockheed Martin staff except as needed to process orders or resolve a customer support request.
Name, address, and shipping number as needed are shared with FedEx, UPS, and USPS in order
to ship requested publications. Reports from the system provided to NCI staff contain aggregate
data only. The privacy policy is available through the order interfaces or by calling/e-mailing the
Publications Ordering Service and is updated as needed to reflect changes. Users may submit
questions or complaints via e-mail or by calling the Publications Ordering Service.
Online via help files and privacy policy; via phone or e-mail upon user request
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII are secured within the Publications
Enterprise system through the following ways:
· Only authorized, authenticated IT staff have direct access to the servers, applications, and
database.
· IT staff access to resources are role-based and limited.
· There is a designated deployment team and deployments are handled through a secure,
isolated gateway.
· Usernames and strong passwords are required and are either manages through Active
Directory or LM’s database-driven Global User Authentication Module.
· All production assets are in a central cloud hosting facility that has controlled and limited
physical access.
· Data connected to Publications Enterprise system are not co-mingled with other cloud
users, ensuring control and traceability of data.
· The production environment is logically separated from the development environment.
· Each application in the system has set role-based user permission levels with different
privileges. Users are assigned the appropriate permission level based on their required position
tasks.
PII data are purged from the applications and database on a 90-day schedule. Only users who
opt to create accounts on NCIPL will have PII data retained indefinitely.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Research Resources
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NCI Research Resources
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Elizabeth Hsu, PhD, MPH
10. Provide an overview of the system: NCI Research Resources is a directory of research
tools and services that the National Cancer Institute (NCI) makes freely available to cancer
researchers on the Web at http://resresources.nci.nih.gov/. This centralized listing of scientific
tools, reagents and services developed by the NCI is provided as part of our ongoing
commitment to cancer investigators to enable and expedite their research. It includes descriptions
of each resource and is organized by research category and by NCI organization. The categories
include animal, specimen, genomic, epidemiological, and scientific computing resources; drugs,
chemicals, and biologicals; clinical trials; and statistics.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This public Web site will
not collect any information from public users - it is simply a catalogue of services. The
application will collect information from NCI staff, but it will not collect any PII. The
information that will be collected from NCI staff, maintained by the application, and
disseminated via the public Web site is the name of the research resource, a description of that
resource, the research category to which it belongs; the NCI organization that provides the
resource; and general contact information for the NCI organization.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Because the system does not collect any PII, there are
no processes in place to manage PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Because the system does not collect,
maintain, or disseminate any PII, there are no controls in place to secure PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Smokefree.gov
Website(s) and Mobile Apps (Smokefree.gov)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NCI Smokefree.gov website(s) and Mobile
Apps
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lewellyn Belber
10. Provide an overview of the system: The system includes a search interface accessible
through the Cancer.gov site (Organizations that Offer Support Services), and Email Us page.
The search interface is an information site meant to provide them search capabilities to retrieve a
list of organizations concerned with helping cancer patients and their families/friends. The Email
Us page provide the public with access to submit questions and requests via email or chat to the
NCI’s Cancer Information Service.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The search interface
(Organizations that Offer Support Services) allows users to input their e-mail address in order to
receive selected information via e-mail. E-mail addresses are not maintained or disseminated; e-
mail addresses are provided voluntarily by users and are used only to provide requested
information via this channel. Users have other print options available should they wish to have
this information but not provide an e-mail address.
The Email Us page provides users with access to the email manned by NCI’s Contact Center
staff, which is included in a separate PIA, NIH NCI CIS Extranet.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) E-mail address is not stored and so users cannot be
contacted about major changes to the system. Online help files describe features/functions of the
sites and are updated as changes are made.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Starcatcher-
StarGazer (Starcatcher)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-12
7. System Name (Align with system Item name): NIH NCI Starcatcher/Stargazer (Starcatcher)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mary Velthuis
10. Provide an overview of the system: StarCatcher/Star Gazer is a web application in which
the public can enter and submit resumes for referral within the NCI.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Shared within NCI with NCI hiring managers per SOR 09-90-0018. This information is further
addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the
Federal Register, Volume 59, November 9, 1994.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Authority to collect this
information is National Cancer Act of 1971, SEC.407 (b) (4). A limited amount of information
collected via StarCatcher is used by authorized NCI staff via StarGazer to identify candidates
interested in working at the NCI. Submission of information is voluntary. The information
specifically collected is the person's name, phone number, mailing address and e-mail address.
There may or may not be other IIF on the resumes that individuals submit.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Candidates input information into StarCatcher and upon
entry into the site, it is stated that: NCI maintains a resume databank of interested applicants for
professional, administrative and internship positions that may have future openings. If you would
like to post your resume, please choose a job category/specialty that we list.
On the website it is noted that: “The NCI StarCatcher Website accepts resumes from interested
applicants for positions that may have future openings, it is not intended to solicit or accept
applications for official vacancy announcements. Your contact information and resume will be
kept on file in the StarCatcher Website for one year from the date you post your resume.
There are no procedures in place to notify individuals when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-73
7. System Name (Align with system Item name): NIH NCI Status of Funds Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bob Barber
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to
access financial data and download the data into spreadsheets in order to perform analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All accounting transactions
are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It
is necessary to have access to this data in order to comply with appropriations laws and
regulations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Survey of Physician
Attitudes Regarding the Care of Cancer Survivors (SPARCCS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NA
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: 0925-0595
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): Survey of Physician Attitudes Regarding the
Care of Cancer Survivors (SPARCCS) Study Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lynne Harlan
10. Provide an overview of the system: SPARCCS is a mail survey of a national sample of
practicing physicians. Physician offices are called to confirm the specialty of the physician and
the mailing address. Eligible physicians are then mailed a paper survey to complete and return to
Westat. After 3 mailings, physicians that have not returned a questionnaire are called and asked
to participate in the study by returning a paper survey. The Study Management System tracks
the physicians’ contact and eligibility information. Once questionnaires are returned, they are
scanned to capture responses. Individual identifying information is stripped from the response
data prior to delivery to NCI.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Identifying information is provided to authorized study staff in order to make contact with
respondents and to track information. The identifying information is not shared with anyone
outside of Westat. This systems falls under the guidelines of Privacy Act System of Records
Notice 09-25-0156.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. Authorization: The
Public Health Service Act, Section 412 (42 USC 285a-1) and Section 413 (42 USC 285a-2)
2. Information collected: SPARCCS collects information about the beliefs, knowledge, attitudes,
and practices of primary care physicians and cancer specialists regarding the care of cancer
survivors.
3. Purpose of collection: NCI’s primary objective for supporting SPARCS is to identify whether
physicians are meeting the components described by the Institute of Medicine’s 2005 report that
described the essential components of cancer survivorship care within a health care delivery
system. These data will inform the process of standardization of survivorship care practices;
augment the data collected in other cancer survivorship studies such as the Cancer Care
Outcomes Research and Surveillance Consortium and the Cancer Research Network; and
monitor the progress made toward achieving NCI strategic goals of improving the quality of
cancer care across the cancer control continuum.
4. Routine disclosure: There are no routine uses for which IIF would be disclosed to those not
authorized to use the system (e.g., Westat employees assigned to the project).
5. Voluntary or mandatory? Information is provided on a voluntary basis only.
6. If mandatory, effects of not providing information: Not mandatory – there are no effects if
the information is not provided.
PII collected and maintained includes name, mailing address, phone number, email address and
unique study ID number.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information about the study and data disclosure is
provided to respondents in written form along with the survey instrument. Completion and
return of the survey is considered to be consent to participate. No changes in disclosure or data
use will be permitted without explicit consent from each survey respondent.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF is secured using password protected
networks, system firewalls, and key cards/identification badges for all physical locations. Data is
maintained in a secure database. Information will be secured on the system through access
controls, personnel security awareness and training, regular auditing of information and
information management processes, careful monitoring of the information system, control of
changes to the system, appropriate handling and testing of contingencies and contingency
planning, ensuring that all users are properly identified and authorized for access, and that they
are aware of the rules and acknowledge that fact, by ensuring that any incident is handled
expeditiously, properly maintaining the system and regulating the environment the system
operates in, controlling media, evaluating risks and planning for information management and
information system operations, by ensuring that the system and any exchange of information is
protected, by maintaining the integrity of the system and the information stored in it, and by
adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Technology Transfer
Center Online Customer Survey (NCI TTC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-XXXX (Pending approval
sometime in April/May 2011)
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Technology Transfer Center
(TTC) Online Customer Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Hewes, Ph.D.
10. Provide an overview of the system: The NCI TTC Online Customer Survey is a web-based
data collection tool designed to assess the satisfaction of NCI Technology Transfer Center (TTC)
customers and collect descriptive, non-confidential information about their company's
communications and marketing. Respondents of this survey include the universe of the NCI
TTC's "external customers" which includes approximately 750 managers and executives in the
320 for-profit companies who have developed biomedical research alliances with the NIH
through the TTC, or made information requests concerning NIH Material Transfer Agreements
(MTAs), Cooperative Research and Development Agreements (CRADAs), Confidential
Disclosure Agreements (CDAs), and other instruments for developing collaborative research.
Only business contact information will be used to correspond with respondents. No PII will be
collected using this system. A secure url and a password will be provided to respondents to
access the online survey. This website will not be available to the public.
No PII will be utilized or collected from this survey. Only company contact information will be
used. There are 36 questions and none of them ask for PII. In addition, the contact information
requested in company contact information only.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1 & 2. The purpose of the
web-based survey is to gather critical information that will serve the goals set forth by the TTC
to obtain a better understanding of the needs of its external customers in the private sector. The
web-based survey will collect descriptive, non-confidential information about the characteristics
of the respondents' particular company, satisfaction with TTC's customer service, preferred and
expected communications channels of TTC's external customers, and strategic plans of
companies to engage in external collaborations and partnerships. Respondents will not be asked
to identify specific companies.
3. No PII will be collected
4. Submission is voluntary - a statement at the beginning of the survey instrument indicates that
participation is strictly voluntary. There will be no invitation or request for survey participants to
enter or submit personal information. Survey contact information is non-confidential company
contact information collected from online public and subscription databases and any NCI-
internal database of companies that have negotiated collaboration agreements with NCI TTC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Technology Transfer
Center website (TTC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Technology Transfer Center
Website (TTC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bonnie Chamberlain
10. Provide an overview of the system: The system, the NCI TTC website, is used to
disseminate information to Biotechnology and Pharmaceutical industry representatives,
Academics, Non-Profit, and NIH staff about technology transfer related information.
Disseminated information includes: the TTC mission; Public Health Service and NIH approved
model technology transfer agreements; Technologies that are available for co-
development/collaboration with NIH; brochures that describe technology transfer and the role of
TTC in technology transfer at NCI and NIH, and intellectual property management plan
templates for grantees and contractors. The system also includes a “listserv” where interested
parties (who have subscribed by adding their email address to the subscription request area of the
website) receive a notice by email whenever a new co-development/collaboration opportunity is
added to the website. The notification is sent to the listserv subscribers automatically through a
content management system for the co-development/collaboration opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) We collect the email
address of individuals who volunteer to add their email address to the listserv we maintain as part
of the website where we send them new co-development opportunities. 2) we use the
information to send new co-development opportunities which have been added to the website. 3)
The information may contain PII because individuals list their e-mail addresses. 4) Submission
of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) An notice would be generated through the website
and sent to all listserv subcribers' e-mail addresses. 2) Individuals voluntarily subscribe and add
their e-mail addresses to the listserv. Should a major change occur, they would be given the
opportunity to continue to subscribe or to unsubscribe. SHould they no longer wish to receive
co-development opportunities, they can unsubscribe. An option to unsubscribe is included with
every opportunity announcement they receive. 3) They would receive an electronic notice of
any change in the NIH Privacy Policy.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls: The COTR for the
web development/maintenance contract controls who is assigned as a site admin user and relays
the information to the web contractor.
Technical: Access to the email addresses is controlled by the use of User Names and Passwords
to access the site administration area of the website where the email addresses are available.
Only 2 users are allowed to access the site admin area. One is the primary user and the 2nd is the
back-up.
Physical: Since the email addresses are stored electronically, no "physical access" is available.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI TeleTech eWFM
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Significant System
Management Changes
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI TeleTech eWFM
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: TeleTech eWFM uses historic contact center data
concerning the various points of access (phone, chat, e-mail) to determine future volumes and
staff needs. The system is used to create schedules for contact center staffing.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system is used to
forecast contact center staffing needs and create staff schedules. Data collected and stored in this
system contains no personally identifiable information. Only information such as agent names,
skill sets, and work schedules are stored in this application along with details about each
interaction (i.e., handling time, time interaction arrives, time to complete interaction, etc.). The
application also allows reporting of planned and unplanned daily and intraday activities such as
meetings, days off, holidays, etc. to further record events, improving forecasting and staffing
assessments.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable since there is no PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable since there is no PII in the
system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI The Cancer Genome
Atlas Data Coordinating Center (TCGA DCC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): NCI-83
7. System Name (Align with system Item name): NIH NCI The Cancer Genome Atlas
(TCGA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carl Schaefer
10. Provide an overview of the system: The Cancer Genome Atlas (TCGA) is a three-year
pilot cancer genome characterization and sequencing project to determine the feasibility of large-
scale effort to identify most of the genomic changes in three separate tumor types. The Data
Coordinating Center (DCC), establishes and executes standard operating procedures, designs and
implements data analysis procedures that perform quality checks on incoming data and report
anomalies to the data source sites, and implements a data management pipeline to process data
and prepare it for public distribution in formats and systems compatible with the caBIG program.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects medical
gene data that is de-identified. The system does not collect any IIF. There are multiple de-
identifying steps, so that no names, social security numbers, or none of the eighteen (18) HIPAA
identifiers is collected. The system does collect de-identified gene data for research.
Patients voluntarily sign a consent form to allow their data to be used for research.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Tobacco Use
Supplement to the Current Population Survey (TUS-CPS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0368
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Tobacco Use Supplement to the Current
Population Survey (TUS-CPS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anne Hartman
10. Provide an overview of the system: The Tobacco Use Supplement to the Current
Population Survey (TUS-CPS) is an NCI-sponsored survey of tobacco use that has been
administered by the US Census Bureau as part of the Bureau of Labor Statistic's Current
Population Survey in 1992-1993, 1995-1996, 1998-1999, 2000, 2001-2002, 2003, 2006-2007,
and will be fielded in 2010-2011 upon OMB’s approval of reinstatement with revision. The
Centers for Disease Control and Prevention (CDC) co-sponsored with NCI the 2001-02, 2003,
and 2006-07 survey waves.
The main data can be requested from the Census Bureau Website. A link to the Census Bureau
Website ordering page is provided from the DCCPS Website: riskfactor.cancer.gov/studies/tus-
cps/info.html.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: There is no PII in the
system. The TUS-CPS is a key source of national and state level data on smoking and other
tobacco use in the US household population because it uses a large, nationally representative
sample that contains information on about 240,000 individuals within a given survey period.
The TUS-CPS generally contains items covering:
cigarette smoking prevalence and history,
current and past cigarette consumption,
cigarette smoking quit attempts and intentions to quit,
medical and dental advice to quit smoking,
cigar, pipe, chewing tobacco, and snuff use,
workplace smoking policies,
smoking rules in the home,
attitudes toward smoking in public places,
opinions about the degree of youth access to tobacco in the community (1992 - 2002),
attitudes toward advertising and promotion of tobacco (1992 - 2002),
cost and purchase of cigarettes (2003-),
treatments and methods used to try to quit/quit smoking cigarettes (2003, 2010-2011),
use of harm reduction products (2003, 2006-07).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI Translational Science
Meeting (TSMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCI Translational Science Meeting
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: NIH NCI Translational Science Meeting participants
register for a workshop and submit abstracts that the participants will potentially present at the
meeting. There is no data on the system and no PII on the system and no data will be collected,
maintained, or stored until July 2010. The information collection mechanism is disabled until
July 2010.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 5 U.S.C. 301; 44 U.S.C.
3101. Meeting participants will register for the workshop and will post a limited amount of
work-related information (abstracts) to a website when a conference is forthcoming. The
information is used to identify the participants and collect their submission information. There is
no data on the system and no PII on the system and no data will be collected, maintained, or
stored until July 2010. The information collection mechanism is disabled until July 2010.
Information will be submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained. There is no PII on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NCI World App: Key
Survey, PS-OC Survey 2012
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0642-07
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI WorldApp Key Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Katrina I Theisz
10. Provide an overview of the system: Key Survey is a tool that does not collect PII. We are
using Key Survey to develop, distribute, collect, and analyze a customer satisfaction-style survey
regarding the Physica Sciences-Oncology Centers (PS-OC) Program. Business email addresses
will be collected prior to deployment of the survey (thus making it possible to deploy said
survey. No PII will be collected in the survey). This information will be stored securely. To
avoid linking each respondent to his or her email address, WorldAPP has implemented a
procedure to identify respondents with numbers. We will not have access to the list which links
their identification number to their email address, allowing our respondents to remain
anonymous throughout the survey process, ensuring their safety as well as the quality of the data
collected.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. We will gather business
email addresses for the surveys to be sent to. The surveys will not be gathering any PII.
2. We need the business email addresses so we have a way of distributing the surveys to the right
people.The survey will be emailed to each of the respondents and their emails will be stored in
the survey system. Each email will be linked with a respondent number. This is anonymous to
us but it will still be stored for the duration of the survey process (expiration date 09/30/2014).
3. The surveys will contain no PII.
4. Participation is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. N/A. No PII will be shared. Should there be changes
to the online survey tool (ex: WorldAPP institutes an upgrade to Key Survey) the respondents'
email addresses will not be shared, distributed, etc. Upon completion of our survey (once the
data has been analyzed and we no longer need the emails for survey distribution, or 09/30/2014,
whichever comes first), the email addresses will be removed.
2. N/A. We already had their email addresses. The surveys will not collect any PII.
3. The email addresses will be used for the following purposes:
-Distribution of the surveys
-Automated reminders to complete the survey
-Automated reminders that the survey is about to expire
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Animal Order and
Support
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Animal Order and Support
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Raber
10. Provide an overview of the system: NEI Animal Order and Support is used to track all
animal orders coming in and out of NEI. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects
biological details about animals, care and housing information, and associates them with
investigators. The system collects this information for tracking and ordering laboratory animals
and their protocols. There is no PII, and submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect, store, or
disseminate PII. All relevant administrative, technical, and physical controls are inherited from
the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI CAF Animal Order
and Support
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Central Animal Facility (CAF)
Animal Order and Support
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Raber
10. Provide an overview of the system: Central Animal Facility (CAF) Animal Order and
Support is a NEI run tracking system. This system tracks animal orders for the CAF for multiple
NIH ICs: NIDCR, NICHD, NIMH, NHGRT, NINDS, NEI, NCI, and OD. The system does not
collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects
biological details about animals, care and housing information, and associates them with
investigators. The system collects this information for tracking and ordering laboratory animals
and their protocols. There is no PII, and submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect, store, or
disseminate PII. All relevant administrative, technical, and physical controls are inherited from
the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Cogan Collection
Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Cogan Collection Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: An extensive collection of clinical ophthalmic cases
and their pathology for use by researchers and clinicians to aid in preventing, diagnosing, and
treating diseases of the eye and visual system. The system does not collect, store, or disseminate
PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Cogan Collection
website is an extensive collection of clinical ophthalmic cases and their pathology for use by
researchers and clinicians to aid in preventing, diagnosing, and treating diseases of the eye and
visual system. The cases and the pathology were collected by the late Dr. David Glendenning
Cogan during his career and are now posted to the internet. There are no access restrictions (i.e.
public access) to the website as it is designed to be available to all doctors, students, etc. for
learning/research purposes. The cases do not identify patients and are intended to be used as a
teaching collection of ophthalmic pathology. The only information provided for any case is age
and gender (i.e, 45-yr old male). Photographs are of different parts of the eye and cannot be used
to identify individuals. PII is not collected, shared, or maintained.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect, store, or
disseminate PII. All relevant administrative, technical, and physical controls are inherited from
the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Computer Inventory
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Computer Inventory
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: Dynamic form for collection of NEI computer
inventory information and data. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NEI Computer
Inventory is a dynamic form used to help NEI maintain and track computer inventory and data.
The Inventory form collects information such as serial numbers, computer names, MAC
addresses, IPs, etc. This information is mandatory to maintain an accurate inventory. The
inventory does not collect, store, maintain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect, store, or
disseminate PII. All relevant administrative, technical, and physical controls are inherited from
the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Employee Database
Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Felicia Powell
10. Provide an overview of the system: NEI EDie is a system that pulls HR information from
the NIH system HRDB. This data is then used by NEI for HR and administrative purposes.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NEI EDie system only discloses information within NIH during transfers, terminations, and
hires of new employees within NIH/NEI.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie pulls existing HR data
from HRDB, FPS, NED, and FSA Atlas. This includes business contact information for all NIH
employees and contractors, and more specific payroll information for NIH employees only. Its
function is to consolidate the data from these various sources and allow easily customizable
reporting for personnel data analysis. The information includes PII for government employees
only; submission in the original systems is mandatory. Only 6 members of NEI have access to
this data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is not a notification process yet. Will develop
one with the new NEI EDie C&A.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Logical access to EDie is primarily via the
web site. Specific roles are managed by EDie. Access to the server running EDie is limited to
authorized system administrators via active directory (AD). SQL access is limited to authorized
system administrators via AD and to three SQL accounts. NetComm support staff and the EDie
web application have read/write access to the database information. A SoFie/EDie direct
database link has read only access to EDie. Two system administrators assign access roles to a
restricted group based on job function. Only AOs and ATs (and the sysadmins) have access to
PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Eye Bank (NEIBank)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8710-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): 2004 UPI=009-25-01-26-02-8710-00-202-069, Older
UPI=009-25-01-26-02-8710-00
7. System Name (Align with system Item name): NIH NEI Eye Bank (NEIBank)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Graeme Wistow
10. Provide an overview of the system: NEIBank is a web-based resource for the ocular
genomics community.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The data presented includes
annotated, public domain expressed sequence tag (partial cDNA sequences) collections for
multiple eye tissues from human and several other species; public domain eye-related human
SAGE data; a database of known human eye disease genes from the published literature; and
visualization tools for the genomic loci of as yet unmapped eye diseases. These resources
provide an overview of the known transcriptional repertoire of the eye with visualization of
specific clones, splice variants, human SAGE tag counts and candidate disease regions.
There is no IIF or personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are no processes in place. The system does not
collect, maintain or store IIF or any user solicited material.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Grants Management
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-8712-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): 2004 UPI=009-25-04-00-02-8712-00-205-080, Older UPI=
009-25-01-03-02-8703-00
7. System Name (Align with system Item name): NIH NEI Grants Management
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Fausto Vela
10. Provide an overview of the system: Support managment of NEI's grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system shares IIF with NIH IMPACT II. Information is shared to allow grants management
administration data to be synchronized with IMPACT II.
09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system shares IIF with
NIH IMPACT II. Information is shared to allow grants management administration data to be
synchronized with IMPACT II.
IMPACT II states that Information is given to IMPACT II voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All information is extracted from IMPAC II - all
consent and notification is handled by IMPAC II.
The system does not have any notification and consent processes in place in addition to the
IMPAC II procedures.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical access to the NIH campus requires
an identification badge or as a registered visitor. Physical access to all server rooms is restricted,
brass key required.
Data is stored on the system in folders with permissions appropriate to the data. Active directory
enforces access. Folder owners are responsible to authorizing access for individuals and adding
to existing permission groups.
Access to the files and databases is through userid and password as enforced by NIH active
directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Histology Lab
Database
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Histology Lab Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chi Chao Chan
10. Provide an overview of the system: Referring physicians send the patient's name, age, and
clinical history as part of request for histological analysis; lab staff enter data; senior lab staff add
test results and generate reports to send back (in hard copy) to the referring physician.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Analysis report is sent back to the referring physician for treatment.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NEI collects patient name,
age, and clinical history from the referring physician; NEI adds a record number and a write-up
of analysis results. The information contains PII, and participation is voluntary, though PII is
required if patients choose to participate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A detailed consent form is provided to the referring
physician and must be returned with the patient's signature. Patient consent is necessary *before*
samples are sent for analysis, and the referring physician is the logical point of contact. Also, the
analysis is provided to the referring physician for diagnosis and treatment. Because there is no
direct contact between NEI and patients, and because the analysis is a one-time service, no
changes are anticipated after the fact, and no notification process is in place.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical access to the NIH campus requires
an identification badge or as a registered visitor. Physical access to all server rooms is restricted,
brass key required.
Data is stored on the system in folders with permissions appropriate to the data. Active directory
enforces access. Folder owners are responsible to authorizing access for individuals and adding
to existing permission groups.
Access to the files and databases is through userid and password as enforced by NIH active
directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI HR Tracking System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI HR Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: The NEI HR tracking system is a database designed to
track performance (i.e. if actions are being completed correctly and specified timeframe) of
administrative staff on personnel actions. It contains information about the employee, requester,
organization, personnel action, and dates of activities completed by administrative staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects names
and organization of NEI staff and progress on various types of personnel actions (i.e. promotion,
time-off award, transfer, re-alignment, etc.), in order to track performance of the Administrative
Management Branch in keeping with its service level agreement. There is no new submission of
personal information, but employee name and type of personnel action are recorded.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information used in the system is not a new
collection. The actions recorded in conjuction with employee names are performed and tracked
by NEI staff as part of normal business processes involving existing personnel information. No
processes notify or obtain consent from employees. The information is used only to analyze
administrative staff performance in completing actions and is shared only among NEI
administrative staff.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical access to the NIH campus requires
an identification badge or as a registered visitor. Physical access to all server rooms is restricted;
combination or brass key is required.
Data is stored on the system in directories with permissions appropriate to the data and reviewed
by the system administrator. The operating system enforces access based on the userid.
Access to the files and databases is through userid and password as enforced by the operating
system. An additional userid/password challenge is presented when logging in to a database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI I2I
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI I2I
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lore Anne McNicol
10. Provide an overview of the system: I2I is a readily-searchable NEI grant application
database based on NIH's IMPAC II system. NEI extramural research staff use it to retrieve
information in managing their grant portfolios.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system shares PII with NIH IMPAC II. Information is shared to allow grants management
administration data to be synchronized with IMPAC II.
09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: I2I imports grant data from
IMPAC II for simpler, more customized viewing. We use the information to analyze, review,
and decide which grants we are going to fund. Applicant name, birthdate, phone number, e-mail,
and address are included; contact info could be business or personal. Submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All information is extracted from IMPAC II - all
consent and notification is handled by IMPAC II.
The system does not have any notification and consent processes in place in addition to the
IMPAC II procedures.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Everyone who comes on the NIH campus
must have an identification badge or register as a visitor. Physical access to all server rooms is
restricted, brass key required.
Data is stored on the system in folders with logical access appropriate to the data. Domain
controls restrict access. Folder owners are responsible to authorizing access for individuals and
adding to existing permission groups.
Access to the files and databases is through userid and password as enforced by NIH active
directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): Old:
2004 UPI 009-25-01-27-02-8711-00-305-109, Old UPI: 009-25-02-01-02-3036-00
7. System Name (Align with system Item name): NIH NEI Internet Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kym Collins-Lee
10. Provide an overview of the system: To share information with the public about vision
research and eye diseases and disorders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Mailing list and contact information for those requesting information from NEI's Office of
Communications. 09-25-0106
A separate email list is maintained by the subscribers. It contains only the email address of the
subscriber.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Contact information is
voluntarily collected. Information collected is only the information necessary to mail pamphlets
or other printed information. Email address is voluntarily entered if the user joins an email list.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is submitted voluntarily, consent is
assumed when contact information is submitted. Individuals may request corrections to or be
removed from the email list.
There are no processes in place to notify users when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Requests for information, name and
address, are only available to NEI staff.
Email addresses on the email list are maintained by NEI staff and by specific request of the
subscriber.
The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other
indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus
outbreaks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Intranet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): National Eye Institute (NEI) Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anna Harper
10. Provide an overview of the system: The NEI Intranet Website is an information sharing
site dedicated to providing only NEI users with vital information about NEI as an organization as
well as useful administrative information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: N/A - No PII collected or
dissemenated
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All security controls can be found in the NEI GSS
C&A SSP. The NEI Intranet falls under the NEI GSS and inherits all its controls.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All controls can be found in the NEI GSS
SSP.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI NEI eyeGENE
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/3/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NEI eyeGENE v6
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Santa Tumminia
10. Provide an overview of the system: The eyeGENE system stores phenotype, genotype,
patient demographic, and other administrative data collected from various types of participating
users. Sharing this information among clinicians and researchers allows the analysis of larger
datasets that are necessary to identify novel genetic risk factors for ocular diseases, and answer
pharmaco-genetic and epidemiologic questions of ocular disease.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The eyeGENE system is accessed by four classes of users: clinical, CLIA Lab, central
administrators, and researchers viewing anonymized data through the analytical interface. The
last category of user never has access to any PII.
Clinical users have full access to PII for the patients of their own clinic. This PII would be
maintained and accessible to all such users via medical records in their clinic.
All CLIA users have IRB clearance that requires close protection for any PII they may view.
Nevertheless, CLIA users do not see the name, address, phone number, or other related
identifying information concerning a patient for whom DNA has been shipped for processing.
The only identifying information that a CLIA lab sees for a patient is race, sex, and date of birth.
Race and sex are required to be accessible as these are related to the genetic test results being
processed. DOB is required to ensure that the DNA tube being processed is in fact for the
correct patient. Once again, all CLIA lab users must have IRB clearance, which ensures
protection of these small pieces of PII data.
eyeGENE central administrators, all of whom are staff of the NEI, have access to full name,
address, phone number, race, sex, and DOB for patients, as these are needed for various
eyeGENE functions. All such staff who have access to this data are subject to rigorous security
screening and all are authorized to view such PII data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The eyeGENE system
collects data for phenotypes, genotypes, tissue specimens, medical images, consent forms,
patient demographics, specifications for event-triggered emails to selected eyeGENE users,
dynamic metadata defining clinical questions for each diagnosis, plus supporting administrative
and additional data. This data is collected to allow researchers to analyze correlations between
phenotypes and genotypes for inherited eye disorders, and also to manage the real-time
collection and validation of such data as entered by multiple eyeGENE partners. This
information is shared with individually identifiable data fields only by those authorized users
directly involved in handling this information, including clinicians who perform exams on this
patient. Aggregated and anonymized data, containing no PII data, will be made available to
authorized users with a research interest in this data. A limited set of PII is collected for
patients, primarily in fields for name, address, phone number, race, sex and date of birth.
Access to PII is carefully controlled and protected, with access only by authorized users and
multiple layers of security protection as well as audit tracking for all system functions.
Submission of this limited set of PII for patients is mandatory, as clinicians must have access to
such information for appropriate patient care.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A written, signed consent form is required for patients
to participate. For each participating clinical organization collecting data, the phone number of
the organization and the email of at least one staff member of the organization will be kept as a
contact information should some intrusion into eyeGENE that could compromise privacy be
detected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The eyeGENE system is accessed by four
classes of users: clinical, CLIA Lab, central administrators, and researchers viewing anonymized
data through the analytical interface. Each class has its own distinct level of access and
verification.
Technically, the system design of eyeGENE contains multiple protections to ensure that all data,
including PII, is available only to authorized users. These security protections are designed to
high government standards, and are closely reviewed for each new release of the eyeGENE
system. In addition, an audit log is maintained tracking each time any user accesses PII, which
serves as a double-check to track who viewed such data.
Physically, all eyeGENE data is stored on CIT servers, hosted at NIH, behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI NEI GSS [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/29/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): National Eye Institute General Support
System (NEI GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Fausto Vela
10. Provide an overview of the system: NEI's mission for the NEI GSS is to support eye
research for public health by providing services to its users and the public. NEI GSS also holds
these systems under its C&A package:
Administrative Activity Form
AMB Staff Form
AMB Survey
CAF AFMS
Cogan Collection Website
Computer Inventory
Conference Room Reservation System
Employee Directory Internet Edition (EDie)
Histology Lab Database
Human Resources Tracking
I2I
Material Transfer Agreement (MTA) Mouse Database
NEI AFMS
NEI Audacious Goal
NEI Data Storage Device Request Form
NEI Intranet Website
NEI REWARDS
NEI TGMDB
NEIBank
NextGEN EHR
Oracle Password Changer
Property Custodial Officer Form
Property Forms
Remedy Service Ticket Submission
Retinal Disease Interest Group
Software Request Form
Status of Funds Internet Edition (SOFie)
Telework
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NEI GSS only collects
internal business and research data for use with its program areas. This includes information that
is work related such as work email, phone number, etc. No personal information is collected or
disseminated.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The NEI GSS does not collect, store, or
disseminate PII. All administrative, technical, and physical controls are described in full in the
NEI GSS SSP. There are multiple levels of security for the NEI GSS, starting with the operating
system to weekly checks for accuracy by the ISSO.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI NextGen
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI NextGen
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Elizabeth Murphy
10. Provide an overview of the system: The NextGen system (COTS from NextGen
Healthcare Information Systems, Inc.), is a highly customizable system for the capture of clinical
data. The NEI has implemented this system as a clinical research database, which is used by all
authorized clinical personnel for the real-time capture of clinical research data in the NEI
outpatient clinic. This data includes demographic, medical history, medication and ophthalmic
data. All data in the system is collected as part of IRB approved clinical research protocols
which govern its use.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Data is shared for the purpose of clinical research, as part of IRB approved protocols involving
members of different ICs.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NextGen system is used
for the real-time capture of clinical research data in the NEI outpatient clinic. This data includes
demographic (including PII), medical history, medication and ophthalmic data. All data in the
system is collected as part of IRB approved clinical research protocols which govern its use. The
collection of personal information is mandatory for enrollment in a clinical protocol, however
said enrollment is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Within an ongoing clinical protocol, changes to the
protocol, including changes in how the data from the protocol will be used, can trigger the need
to re-consent the patient. This re-consenting process informs the patient of the changes. Data
from a terminated clinical protocol can be re-used with the permission of the IRB, although it
would be de-identified before re-use unless the patient was contacted to re-consent. The method
for contacting the patient would be determined by the IRB based on the information which was
to be included in the research analysis.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to the PII on the system is managed
through the process of only granting login accounts (user name, password and/or PIN) to
authorized clinical personnel. Logins are managed as security groups to further manage the level
of access, ranging from read-only for low-level support staff to full access for system
administrators. However, because of the interface from the hospital admissions department, all
local changes (changes by users with login access) to demographic information (name, address,
DOB, etc) will be over-written by the patient authorized changes transmitted from the NIH CC
admissions department.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Oracle Password
Changer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Oracle Password Changer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: Enable users to change their own Oracle passwords
without logging on to Oracle. This application runs internally and adheres to the NIH password
policy. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system requires the
user's Oracle username and password, so they can update their password periodically for good IT
security. Users can be NEI staff, including employees and contractors. The information contains
no PII. No PII can be used to substitute for a username or password, and rules are strict enough
that it is unlikely anyone will use PII for their password.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect, store, or
disseminate PII. All relevant administrative, technical, and physical controls are inherited from
the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Telework
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NEI Telework Application
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Trevor Peterson
10. Provide an overview of the system: NEI Telework Application is a NEI Automated System
that allows for the submission, routing, and approval of telework requests. It is an institute-wide,
mandatory, automated system that replaces a manual process.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Disclosures are made in accordance with SOR # 09-25-0216
Names contact information of individuals are collected and may be shared within the Institute or
division in order to carry out the business process.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system is used to
request approval for telework and store agreement (schedule, work arrangement, justifications)
and necessary contact information (name, work org, address, phone, fax, e-mail, home address,
phone, fax). Other than names and contact information of applicant employees, and the names
and e-mail addresses of the approving officials, it tracks no other personally identifiable
information. The workflow process involved allows the position and disposition of a task or
activity (with whom, when) to be identified in the organization. Information is obtained
voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The IIF contained in the system is that of employees
and contractors of the Institute. This information was obtained voluntarily from the employees
and is used to manage administrative tasks within the department. There is no process in place to
notify individuals of how their IIF will be used or if major changes occur.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical access to the NIH campus requires
an identification badge or as a registered visitor. Physical access to all server rooms is restricted;
combination or brass key is required.
Data is stored on the system in directories with permissions appropriate to the data and reviewed
by the system administrator. The operating system enforces access based on the userid.
Access to the files and databases is through userid and password as enforced by the operating
system. An additional userid/password challenge is presented when logging in to a database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI Transgenic Mouse
Database
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Transgenic Mouse Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Eric Wawrousek
10. Provide an overview of the system: The transgenic mouse database is a central repository
for information about transgenic mice we are maintaining, and have maintained, in the NEI
Intramural Research Program (IRP). It also tracks frozen mouse lines. Since the NEI Genetic
Engineering Core tracks thousands of mice, and thousands of frozen samples, it is absolutely
essential to have this information in an orderly database from which data can easily be retrieved.
The database consists of multiple data tables in an Oracle database. The front end is accessed via
a set of programs in MSAccess, and there is a web interface which allows IRP investigators to
retrieve information about their mice directly from the database. The system does not involve
PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Most of the information
in the database is generated by the Genetic Engineering Core (GEC). It deals only with
investigators' mice and frozen mouse lines, and all information is only for government use. We
do have investigators' names and their NIH laboratory and section affiliation. No personal
information is maintained. (2) We use the information internally only to track GEC services
provided to individual investigators. (3) As stated in (1), the system contains only the name of
the federal investigator and his/her NIH laboratory/section affiliation. (4) Not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate
PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A--The system does not collect, store, or
disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NEI VISION Network
Members Only
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): VISION Network Members Only
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kym Collins-Lee
10. Provide an overview of the system: The purpose of the VISION Public Information
Network is to communicate vision research results to the public through its grantee institutions.
Public Information Officers from NEI grantee institutions work with the NEI to develop ongoing
programs to educate the public about the benefits of vision research. The Members Only section
allows members to access special media materials and to post news release, projects and events;
and advertise job opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
(1) Disclosure may be made to a congressional office from the record of an individual in
response to an inquiry from the congressional office made at the request of that individual.
(2) Disclosure may be made from this system of records by the Department of Health and
Human Services (HHS) to the Department of Justice, or to a court or other tribunal, when (a)
HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c)
any HHS employee in his or her individual capacity where the Department of Justice (or HHS,
where it is authorized to do so) has agreed to represent the employee; or (d) the United States or
any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its
components, is a party to litigation or has any interest in such litigation, and HHS determines that
the use of such records by the Department of Justice, court or other tribunal is relevant and
necessary to the litigation and would help in the effective representation of the governmental
party, provided, however, that in each case, HHS determines that such disclosure is compatible
with the purpose for which the records were collected.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Names and e-mail addresses
are used by the NEI staff and grantees to access the system to update the information and add
new study descriptions. Names and e-mail address are required for the user to access the
VISION Network Members Only section. Contact information of list members is available only
to each other.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A statement is included on the web site indicating the
only usage is for the subscribers to communicate with each other. The only information
collected is that supplied by the subscriber. If any change of information usage is made the
subscribers will be contacted via email.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The server containing the VISION Network
Members Only section is maintained by an NEI contractor who follows guidance from NSA,
NIST, SANS, and CERT to maintain the security and integrity of the system.
Information contained in the lists is maintained by NEI staff and by specific request of the
subscriber.
The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other
indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus
outbreaks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Attention Deficit
Hyperactivity Disorder Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-9199-00-404-138
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: not applicable
6. Other Identifying Number(s): not applicable
7. System Name (Align with system Item name): NHGRI Attention Deficit Hyperactivity
Disorder Database (ADHD)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Maria Acosta, MD
10. Provide an overview of the system: Database of demographic and clinical research data on
ADHD (Attention Deficit Hyperactivity Disorder).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Data is shared among members of the ADHD research team. This information is further
addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the
Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Name, date of birth, mailing
address, phone numbers, medical notes, email address, family and blood sample accession
numbers, questionnaires completed by study subjects. Information is given voluntarily.
This research study on the genetics of Attention Deficit/Hyperactivity Disorder is collecting
information from families with affected children in order to better understand the impact of
genetics on the transmission of the disorder, and its manifestations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients and/or parents sign an IRB (Internal Review
Board) informed consent form mailed to them and mailed back to the research study coordinator.
Patients and/or parents are informed that protocol related information will be used for research
purposes and restricted to study team members only. Families that agree to participate are
contacted by the study coordinator. No changes in the system or modifications in the database
have been done from the original design. No modifications are expected. Currently no reason to
re-contact families that have finished the data collection part of the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access is limited to research team members
only; files backed up regularly and back up files stored offsite; user ID and password required;
firewall present; accounts locked after five minutes of inactivity, computers in locked offices
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler; 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Career Resource
Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 0
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): no
5. OMB Information Collection Approval Number: 0
6. Other Identifying Number(s): 0
7. System Name (Align with system Item name): NHGRI Career Resource Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Easter
10. Provide an overview of the system: The National Human Genome Research Institute
(NHGRI) has developed an interactive on-line Genetic and Genomic Careers Resource Tool.
The main goals of the web site are to educate and engage the audience in understanding what
“genomics” is and to identify and describe the careers that exist now and may exist in the future
in these highly active and emerging fields of science.
The web site is designed to provide Internet access to:
Inform students about possible careers in genetics and genomics;
Show the relationship between genetic careers and other disciplines (i.e., science writing);
Provide a resource for students, career counselors, parents, and teachers;
Provide viewers with a basic understanding of important information about genetics and
genomics research; and
Expose the audience to professionals doing cutting-edge science.
Web site visitors will have the option to create their own “personal” web page within the site
(which will be password protected) by setting up a logon profile. Personal pages will allow
owners to create their own personalized list of the careers that they are most interested in and to
rank their site preferences. Users will have the option to utilize this feature of the web, but will
not be required to create a profile in order to use the site itself. Users may create a profile by
creating a username and password that will allow them to access the site. User login information
will not be managed by this site. If the user name and password is forgotten, the user will have
to establish a new set of credentials. The user has full control of his/her personal page; NIH will
not collect any information to manage these pages.
Users of this site can not customize their personal pages to contain any contact information, links
or photos. The personal page only tracks choices made from the site while the person is on the
site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Registration information for
setting up a personal profile/web page includes a user defined username and password of the
user's choice which will be maintained on the server. This information is needed only if the user
creates a personal web page, and wants to access it at another time. Creating a personal profile is
not required (is voluntary). No IIF is collected or stored on the system. The information
provided is about genetic careers and other disciplines (i.e., science writing).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler: 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Community of
Genetic Educators (CoGE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Community of Genetic Educators (CoGE)
NIH
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jeff Witherly
10. Provide an overview of the system: The "Community of Genetic Educators" web site was
created to help connect genetic educators online. It is a forum for information sharing. With so
many resources available, it is sometimes difficult for educators to know what will work in the
classroom. This web site may be used to find resources, to recommend resources, learn from
other members in similar situations, act as a mentor to other members, submit helpful lessons
learned and resources, and work with the education team at the NIH Genome Institute (NHGRI)
in reviewing and refining learning tools.
Each site visitor is asked to register on the first visit. Registration includes setting up an
account with password, name, email address, state/country, zip code, language, time zone,
current education position, type of school info, teaching experience and instructional focus.
Voluntary information that further defines the visitor includes affiliations, a text box for a
biography and the option to add a photograph.
After registration the visitor is given immediate access to the site which includes many resources
and a messaging forum.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: To register for site access,
the following information is mandatory: First and last name, email address, country, state, zip
code, language, time zone , current education position, other positions, type of school, minority
serving institution, location, school level, teaching experience, and instructional focus. Of the
information required, name and email address are considered to be information in identifiable
form (IIF).
The following information is voluntary: affiliations, biography, photo. A photo is considered to
be information in identifiable form (IIF).
The "Community of Genetic Educators" web site was created to help connect genetic educators
online. It is a forum for information sharing. With so many resources available, it is sometimes
difficult for educators to know what will work in the classroom. This web site may be used to
find resources, to recommend resources, learn from other members in similar situations, act as a
mentor to other members, submit helpful lessons learned and resources, and work with the
education team at the NIH Genome Institute (NHGRI) in reviewing and refining learning tools.
Each site visitor is asked to register on the first visit. Registration includes setting up an
account with password and includes the mandatory information listed above. Voluntary
information that further defines the visitor and will better introduce this person to others visiting
the site.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is an extensive Privacy statement displayed on
the registration page. Additional information is made available through a link called “Privacy”
displayed on each web page, which includes the following:
Personally Provided Information
Information Required For Membership:
We require each member to enter a limited amount of personal information as part of the
registration process of the CoGE web site. This information is typically required as part of our
NHGRI educational course registrations, and will be used at the CoGE for contacting CoGE
members about events, opportunities, and new educational products of value.
We have made every attempt to make the required information as minimal as possible for
members. This information includes: your name, your email address, country, state, zip code,
and current educational position (teacher, administrator, other). We will also ask you to choose a
member name and a member password.
Your real name, and your email address are not shared online in the CoGE. Only CoGE
administrators have access to this personal information. Members will only know your member
name and your CoGE email address.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The amount of IIF collected is minimal,
only that which is absolutely needed to meet the needs of the system's purpose.
Registration information is not available to the users of this site unless they chose to share with
one another. This voluntary sharing of information is not being managed by the system.
From an administrative point of view, only a limited number of staff have access to the IIF.
Support personnel will have access for maintenance purposes. The system owners and
administrators will have access for the creation of aggregate reports. A well constructed set of
rules of behavior are in place for all who have access to the IIF.
The technical and physical aspects are properly cared for by placing the system on a secured
server, in a secured location. A separate C&A was completed for the server that houses this
application by the IT staff.
PIA Approval
PIA Reviewer Approval: Demote
PIA Reviewer Name: Gloria Butler: 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Edie
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHGRI Edie
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pamela Klein
10. Provide an overview of the system: Employee Database System Internet Edition (EDie) is
the web-based and enhanced version of the VEDS. EDie, a client server application, provides
integrated, next generation solutions with web-based access to employee management data.
Personnel information is funneled through the HRDB, NED, and FPS databases to EDie, thus
providing administrative staff with up-to date information on all personnel. This information is
important to ensure renewals are processed in a timely fashion, new hires are captured,
FTE/Non-FTE projections, as well as ensuring NHGRI remains equitable in our pay structure for
all positions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDiE tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The information collected constitutes IIF and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF stored in EDiE is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDiE is password
protected and sensitive data is encrypted. The system is located on a server in a secure server
room behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler: 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI LabMatrix
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no/a
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: not applicable
6. Other Identifying Number(s): not applicable
7. System Name (Align with system Item name): Labmatrix
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr Gretchen Gibney
10. Provide an overview of the system: Research and clinical database which contains
information related to clinical and research laboratory data collection and findings from
Institutional Review Board study protocols. NHGRI professional medical staff (MD, RN,
Genetic Counselor) and scientific laboratory personnel (PhDs, technicians, data managers)
access for research purposes only.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Restricted to research. This information is further addressed in the NIH Privacy Act Systems of
Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September
26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Research and clinical
database of patient PII including demographics (e.g., address, date of birth, gender), study
enrollment and consent information, medical records, test results, medical record number,
photographic identifier, email address, employment data. IIF contained. Information submission
is voluntary. Information is used for research purposes only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals whose PII is in the system have provided it
voluntarily for research purposes with implicit consent and/or explicit consent by way of an
Institutional Review Board (IRB) approved consent form. In the event of significant changes in
disclosure or usage of data collected under the authority of an IRB consent process, individuals
would be re-consented per IRB guidance.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access is NIH Log-In restricted to
authorized users, and administrative and technical access controls for each user are specified
individually on a least privilege basis. All data transmissions are encrypted, all transactions are
monitored, and application and database server are housed in a locked, secure setting.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler, 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI NHGRI
Twinbrook Data Center [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NHGRI Twinbrook Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William (Bill) Kibby
10. Provide an overview of the system: The system is a General Support system (GSS) and
does not directly collect or store information. Note: an ATO extension was granted to the II
Democracy Data Center as it will be decommissioned and relocated. For this reason, no updated
C&A was done this year.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler: 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI NHGRI Two
Democracy Data Center [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHGRI Two Democracy Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William (Bill) Kibby
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information. As of 2012, an ATO extension was granted to the
II Democracy Data Center as it will be decommissioned and relocated. Note: an ATO extension
was granted to the II Democracy Data Center as it will be decommissioned and relocated. For
this reason, no updated C&A was done this year.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS. As of
2012, an ATO extension was granted to the II Democracy Data Center as it will be
decommissioned and relocated.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler: 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NHGRI Status of Funds Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ann Fitzpatrick
10. Provide an overview of the system: An organizational reporting tool that allows an
organization to manipulate and report on financial transactions downloaded from the NIH
Central Accounting System. The information is general accounting info by category, with totals
by category, and has no PII info specific to employees. SOFie underwent successfully an annual
ITB Security Review.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
no
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting data and related
document information is downloaded from CAS/Central Accounting System and is specific to
NHGRI/OD Office for its fiscal year operations. The information is general accounting info by
category (ex. wages), with totals by category, and nothing specific to individual employees. The
system contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler; 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Undiagnosed
Disease Program (UDP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NIH Undiagnosed Disease Program (UDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Adams, M.D., Ph.D.,
Building 10, Room 10C103B, NIH Bethesda Campus, 20892. Phone 301 402 6435
10. Provide an overview of the system: Microsoft SharePoint will be used as a tool to store
data so that medical information related to the Undiagnosed Disease Program (UDP) can be
shared easily with medical staff involved in the UDP program. Those who will have access are
NIH credentialed clinical providers and administrative persons who handle identifiable clinical
data in other forms (for example, UPD-associated non-clinical CRIS users).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
no
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. Collected information
will include such items as scanned medical records sent to the NIH, participant photographs, and
binary files from tests that cannot be stored in the available clinical information system, e.g.
electroencephalogram data.
2. The information will be stored in order to provide access to NIH clinical staff who need to
review the extensive medical histories associated with typical UDP participants. Such review
will allow the users to make decisions about accepting individual participants, and to plan for
the care of participants who will travel to the NIH to participate in the UDP program.
3. The information will contain PII
4. Participation in the UDP program is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data contained in this system is collected in accord
with the clinical consent used for the UDP program. The original copy if the information is the
hard-copy that is sent by the participant to the NIH. The Sharepoint copy of the data will be used
for the same purpose the original is used for, i.e. review by NIH clinical providers. If new uses of
the information are proposed by the UDP investigators, the mechanism of those new uses will
involve the hard copies and not the electronic copies on this system. To summarize, the rules for
this Sharepoint resource will be forced to be equal to or more restrictive than the rules for the
medical record hard copies, thereby allowing the resource to be used within the constraints of the
original clinical consent process. Individuals will be given notice of consent electronically.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This application is on a server in our data
center. Access is granted by userid and password (the user must be in the NIH employee
database). This program inherits all the security controls which are in place at our data center.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Gloria Butler; 301-594-1061
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Clinical Data
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7213-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NHLBI Clinical Data System (CDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: The NHLBI-CDS collects and manages data
emanating from clinical studies and allows for monitoring recruitment and tracking patients. It is
a multi-tiered, Web-based system where research-related data are entered to facilitate the
generation of regulatory reports and data sets for analyses.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical
Records Department and are also used to send to the patient’s referring physician. SOR number
is 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NHLBI-CDS collects
and manages data emanating from clinical studies and allows for monitoring recruitment and
tracking patients and analyzing results. Collection of this information is authorized under
sections 301, 319F-1, 402, and 405 of the PHS Act which authorize the HHS Secretary to
conduct and support research.
The primary use of this information is to track clinical research results for studies conducted at
the National Institutes of Health. Information such as patient name, address, medical history, test
and procedure results, and other research related information is collected and maintained.
NHLBI-DIR uses this information to analyze and report the results of clinical research being
conducted within the division. The information collected includes IIF and all patients enrolled
on clinical studies sign an informed consent related to their participation in clinical research.
Some of the information is used for Medical Record reporting and for providing the patient’s
referring physicians with the test results and assessments related to the patient’s visit.
Information is provided on a voluntary basis as participation in clinical trial research is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All patients sign an informed consent (paper) related to
their participation in clinical research and how their data will be used. There is no process for
obtaining consent from individuals whose IIF is in the system when major system changes occur,
however this system is an internal system (only available within NIH) and data are de-identified
for the purpose of summarizing and publishing research results.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Data is maintained in a secure database.
Routine access is restricted to authorized employees and contractors only according to the
principal of least privilege by the use of user name and password access controls. Additional
technical and administrative controls are also employed, including badge access, intrusion
detection system, firewalls, virtual private networks, encryption, etc. The NHLBI-CDS staff
monitors system access for intrusion detection and reviews audit logs to identify inappropriate
browsing or inappropriate database access. Computer security incidents are referred to the NIH
Incident Response Team (NIH IRT). Contractors are required to have employment suitability
determinations, National Agency Checks, credit checks, and/or background investigations,
commensurate with the position. Contractors are also required to sign an NIH non-disclosure
agreement prior to being given access to the NHLBI-CDS. Contractors must take the NIH
security awareness training.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Council
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): 009-25-01-26-02-7204-00-202-069 (UPI)
7. System Name (Align with system Item name): NIH NHLBI Council
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: The Council web site assists the NHLBI extramural
staff and the council board members in preparing for council meetings. The Council system
extracts the grant application information from NHLBI Tracking and Budget System (TABS)
database and the members assigned to applications from IMPAC II (eRA) database. Council
related documents are provided in the system by the divisions. The council members review the
applications, view the summary statements and abstracts and make recommendations on the
scientific merit of applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Council system does
not collect any information. Council is a National Heart Lung and Blood Institute (NHLBI)
intranet website that enables NHLBI Council Advisory Board members to review and review
their assignments and the NHBLI staff to track the applications discussed at the Council
meetings. Council meetings are held 4 times a year. The Council system extracts the grant
application information from TABS database and the members assigned to applications from
IMPAC II (eRA) database. The council members review the grant applications, view the
summary statements and abstracts, and make recommendations on the scientific merit of
applications. The website contains only Federal grant data and it does not collect, maintain, or
disseminate PII data. Council does not require the submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI EDie
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHLBI Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christopher Bourdeau
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. The application downloads this information from the
Human Resources Database (HRDB) weekly. Information entered into the EDie database is not
uploaded into the HRDB. Due to the sensitivity of the personnel data in this system, access to
the EDie database is limited to specific users within the IC. Users are assigned roles that restrict
what data they may view and what functions they can perform. Access privileges are enforced
through authentication within the database.
Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118,4308,4506,7501,7511,7521
and Executive Order 10561
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior administrative use only and will not be shared with
other entities. Please refer to SOR # 09-90-0018, Personnel Records in Operating Offices,
HHS/OS/ASPER
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purposes of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system. Uses consist of
the following: a) tracking a time-limited appointment to ensure renewals are completed in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary quality for various hiring mechanisms; d) providing report as
requested by the NIH Director, the IC Director, and other management staff; and e) maintaining
lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The
information collected constitutes IIF and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is downloaded periodically from the
HRDB. Changes to the HRDB or changes in the way information is used are relayed to
employees via official notice from the NIH Office of Human Resources (OHR). Individuals are
notified of the collection and use of the data as part of the hiring process. This is a mandatory
requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF data is maintained in a secure database.
Routine access is restricted to authorized employees and contractors only according to the
principle of least privilege by the use of user name and password access controls. Additional
technical and administrative controls are also employed, including badge access, intrusion
detections systems, firewalls, virtual private networks, encryption, etc.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Extramural
Program Development (EP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7204-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Extramural Program
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: Manage NHLBI Extramural Research Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Grant data is available to reviewers during submission/evaluation of potential grants. See SOR
09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collection of this
information is authorized under 5 U.S.C 301. Information collected by the system includes:
funding applications, awards, trainee appointments and advisory committee records. The PII
collected to contact business partners includes name, personal address, personal phone number,
and personal email. The primary use of this information is for government personnel to conduct
grant application reviews, approvals, and to create reports related to grant applications.
Submission of this information is mandatory for grant applications to be processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no process to notify or obtain consent when
there is a major change to the system that affects disclosure and/or data uses since the notice at
the time of the original collection.
Applicants are notified data is collected when they enter it into the system, or fill in the paper
application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system has been subject to a
Certification and Accreditation (C&A) process, during which, all technical, administrative and
physical controls were evaluated. These controls are defined in NIST publication 800-53
Recommended Security Controls for Federal Information Systems.
The system is housed in a secure server room, which is located in a building protected by
security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no
unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict
administrative controls are in place to ensure the system is operated in a safe, consistent manner
(least privilege, separation of duties, background investigations, etc…).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Internet Animal
Study Proposal
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011?
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NHLBI Internet Animal Study
Proposal (IASP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: The IASP application supports the creation and
management of NIH compliant animal study proposals. This program is used by all intramural
researchers at NHLBI to create and submit animal study research proposals. IASP is also used
by the Animal Care and Use Committee (ACUC), Veterinarians, Investigators and research
support staff to comply with requirements regarding research conducted at NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The IASP application
supports the creation and management of NIH compliant animal study proposals. This program
is used by all intramural researchers at NHLBI to create and submit animal study research
proposals. IASP is also used by the Animal Care and Use Committee (ACUC), Veterinarians,
Investigators and research support staff to comply with requirements regarding research
conducted at NIH with respect to animals. It does not contain any PII data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-7299-00-305-109
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106, 09-90-0024
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: Disseminates health information and information and
policies related to NHLBI Extramural and Intramural Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Credit Card information is transferred to Verisign for cost recovery.
Information from Techfinder may be shared the NIH Office of Technology Transfer, which is
responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Voluntary; contains IIF:
o names and mailing addresses, email addresses, phone and FAX numbers for delivery of
purchased items, purchase confirmation, verification, and updating information,
o credit card numbers for: purchase of items (cost recovery),
o Login credentials needed to update staff profiles
Voluntary; does not contain IIF
o Names of organizations and description, general job titles, organizational unit, research
interests, contact information, information about an activity (including dates), expected audience,
and setting (e.g., healthcare, work site, community, media, etc.) for posting on the Web,
publicizing local activities, or developing interest in NHLBI activities, also for staff recruitment
of new postdocs and principal investigators.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The individuals are contacted by either email or US
Post, depending on the information in that particular system
Notification of intent to use information is available on the Web application or Web sites.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Intramural
Research Application Development (IR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7203-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Intramural Program
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: Manage NHLBI Intramural Research Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Clinical test results are available to authorized researchers and caregivers. See SOR 09-25-0099
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collection of this
information is authorized under 42 U.S.C. 241, 248. The system collects medical treatment
record data. This information is used to provide evaluations and treatments to patients, and for
subsequent medical research. The researchers and caregivers will have access to this
information. Submission of this information is mandatory for all medical research patients.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All patients sign an informed consent (paper) related to
their participation in clinical research and how their data will be used. There is no process for
obtaining consent from individuals whose IIF is in the system when major system changes occur,
however this system is an internal system (only available within NIH) and data are de-identified
for the purpose of summarizing and publishing research results.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system has been subject to a
Certification and Accreditation (C&A) process, during which, all technical, administrative and
physical controls were evaluated. These controls are defined in NIST publication 800-53
Recommended Security Controls for Federal Information Systems.
The system is housed in a secure server room, which is located in a building protected by
security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no
unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict
administrative controls are in place to ensure the system is operated in a safe, consistent manner
(least privilege, separation of duties, background investigations, etc…).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Lab of Cardiac
Energetics
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 (research)
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHLBI Laboratory of Cardiac
Energetics (LCE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: The LCE MRI Database is used by the Magnetic
Resonance Imaging (MRI) section of LCE at NHLBI. The system was initially developed by the
LCE group as a Microsoft Access database. The system was converted by the Application
Development Support Branch (ADSB) to a secure web based clinical database that collects data
for patients in Hjartevernd Hospital (Iceland), Suburban Hospital (Bethesda, MD) and NIH
Clinical Center (Bethesda, MD). The system adheres to HIPAA standards and includes external
interfaces to the NIH Central Fax Service and DICOM Nodes on the network.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Hospital personnel for clinical and research purposes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects the
following data elements: First Name, Middle Name, Last Name, Medical Record Number,
Medical Record number for Suburban Hospitals, Medical Record number for Baltimore
Hospitals, Date of Birth, Gender, Street, City, State, Zip, Home Phone, Work Phone, Email,
Ethnic Group, Race.
The data is used for clinical operations and research purposes. The above listed Data Elements
do contain PII data. The primary use of this information is to track clinical research results for
studies conducted at the National Institutes of Health. Information such as patient name, address,
medical history, test and procedure results, and other research related information is collected
and maintained. NHLBI-LCE investigators use this information to analyze and report the results
of clinical research being conducted within the division. The information collected includes
some PII and all patients enrolled on clinical studies sign an informed consent related to their
participation in clinical research. Some of the information is provided to the patient’s referring
physicians with the test results and assessments related to the patient’s visit. Information is
provided on a voluntary basis as participation in clinical trial research is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each subject that participates on a clinical trial and
provides data as a result must sign a consent form that indicates what PII is being collected and
how that data will be used or shared. Once received, the forms are scanned into the system. The
original form is kept on file in the patient's medical file and a copy is provided to the patient for
their own records as well.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Data is maintained in a secure database.
Routine access is restricted to authorized employees and contractors only according to the
principal of least privilege by the use of user name and password access controls. Additional
technical and administrative controls are also employed, including badge access, intrusion
detection system, firewalls, virtual private networks, encryption, etc. The NHLBI-LCE support
staff monitors system access for intrusion detection and reviews audit logs to identify
inappropriate browsing or inappropriate database access. Computer security incidents are
referred to the NIH Incident Response Team (NIH IRT). Contractors are required to have
employment suitability determinations, National Agency Checks, credit checks, and/or
background investigations, commensurate with the position. Contractors are also required to sign
an NIH non-disclosure agreement prior to being given access to the NHLBI-LCE. Contractors
must take the NIH security awareness training.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI NHLBI Hosted
Systems GSS [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): NO
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NO
7. System Name (Align with system Item name): NHLBI Hosted Systems GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Brian Kotula
10. Provide an overview of the system: The NHLBI Hosted Systems GSS supports
approximately 1,500 users at the NHLBI. The NHLBI Hosted Systems GSS is located in the
Customer Service Area (CSA) 2 in the NIH Data Center in Building 12 on the NIH main campus
in Bethesda, MD and at the NIH Consolidated Co-Location Site (NCCS) at the Qwest data center
in Sterling, VA.
The NHLBI Hosted Systems GSS comprises servers and SANs constituting a General Support
System.
Although many applications reside on servers in the NHLBI Hosted Systems, the Data Center
itself does not process or store any IIF. (Individual application PIAs will address any and all IIF.)
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NHLBI Hosted Systems GSS shares PII data with the Clinical Data System (CDS). The
NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical
Records Department and are also used to send to the patient’s referring physician. SOR number
is 09-25-0200. Hosted Systems GSS shares PII data with Extramural Program Development
(EP) for grant purposes. Hosted Systems GSS shares PII with the NHLBI Internet Website for
Credit Card information, which is transferred to Verisign for cost recovery. Information from
Techfinder may be shared the NIH Office of Technology Transfer, which is responsible for
licensing NIH technology. SOR is 09-25-0106 and 09-90-0024. NHLBI Hosted GSS shares PII
data with NHLBI Intramural Research Application Development (IR) regarding clinical test
results shared with authorized researchers and caregivers. See SOR 09-25-0099.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Patient records, patient
medical records numbers, names, addresses, DoB, email addresses. To support the mission of
the NHLBI for science and research. The information collected is PII in nature. All of the
information provided by the user is given on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH OCIO office has procedures on dealing with
PII breach/spillage for incident procedures for the ISSO to follow. NIH has a process in place
for collecting PII from users via a consent form. Information will be used and shared to support
the mission of the NHLBI for science and research. Users are given consent in a written notice.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All users must go through Rules of
Behavior training before being granted access to a system. Identification and authentication
mechanisms are in place to prevent unauthorized access to data. Data centers are protected by
guards, badge readers, iris scanners and access is only provided to administrators of the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI NHLBI LAN GSS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): NO
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NO
7. System Name (Align with system Item name): NHLBI LAN GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Brian Kotula
10. Provide an overview of the system: The NHLBI-managed LANs general support system
(GSS) is owned and maintained by the Information Technology Resources Branch (ITRB) of the
NHLBI Center for Biomedical Informatics (CBI). NHLBI LANs assets are located in buildings
10, 14, and 31 on the NIH main campus in Bethesda, MD as well as in the off-campus
Rockledge One and Two buildings in Bethesda, MD and the 5RC building in Rockville, MD.
The NHLBI LANs GSS provides network connectivity for NHLBI information systems,
applications, and users.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The LAN shares PII data using switches to route the information to the NHLBI network
resources. The NHLBI Hosted Systems GSS shares PII data with the Clinical Data System
(CDS). The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center
Medical Records Department and are also used to send to the patient’s referring physician. SOR
number is 09-25-0200. Hosted Systems GSS shares PII data with Extramural Program
Development (EP) for grant purposes. Hosted Systems GSS shares PII with the NHLBI Internet
Website for Credit Card information, which is transferred to Verisign for cost recovery.
Information from Techfinder may be shared the NIH Office of Technology Transfer, which is
responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024. NHLBI Hosted
GSS shares PII data with NHLBI Intramural Research Application Development (IR) regarding
clinical test results shared with authorized researchers and caregivers. See SOR 09-25-0099.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Patient records, patient
medical records numbers, names, addresses, DoB, email addresses. To support the mission of
the NHLBI for science and research. The information collected is PII in nature. All of the
information provided by the user is given on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH OCIO office has procedures on dealing with
PII breach/spillage for incident procedures for the ISSO to follow. NIH has a process in place
for collecting PII from users via a consent form. Information will be used and shared to support
the mission of the NHLBI for science and research. Users are given consent in a written notice.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All users must go through Rules of
Behavior training before being granted access to a system. Identification and authentication
mechanisms are in place to prevent unauthorized access to data. Data centers are protected by
guards, badge readers, iris scanners and access is only provided to administrators of the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI SOFie
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alex Hawkins
10. Provide an overview of the system: SOFie is a web-based application for internal use only
to manage expenditures and obligations. The purpose of the system is to monitor expenditures.
Program helps project the budget; allows users to know how much money is left in the FY to
spend.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All accounting transactions
are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It
is necessary to have access to this data in order to comply with appropriations laws and
regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor,
Description of Expenses, and Purchase Amount.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jason Cate
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Aging Data
Administration Management System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4302-00-101-001
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036 Extramural Awards and Charted Advisory
Committees
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA Aging Data Administration
Management System (ADAMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Porter
10. Provide an overview of the system: The NIH NIA Aging Data Administration
Management System (ADAMS) is a tracking and recording system for grants. It allows the user
to code competing applications before council meetings, scientifically code grants based on their
study, perform ad hoc queries, and generate reports. Legislation to authorize this activity is under
5. U.S.C.301;42U.S.C.217a.241,282(b)(6),248a, and 288.48 CFR Subpart
15.3 and Subpart 42.15. More specific functions include: allocation and adjusting funding
estimates for grants based on their budgets, summarizing grant funding by specific categories for
reporting to Congress, and reporting committed, pending, and obligated records with future year
commitments.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0036 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0036.htm for the allowed disclosures of IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores
information on grant applications and current and historical information on grant applications
and contracts awarded by the NIH, including performance evaluations. The information is used
to support centralized grant programs and contract management. PII in the system includes
name, mailing address, email address, telephone number, financial account information, and
grant and/or contract number. Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose IIF is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
When applying for grants, applicants are informed that personal information is collected for
accurate identification, referral and review by grants program managers. Refer to the system of
record 09-25-0036 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0036.htm, for a summary of the notice of uses of
information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: Guards, Identification
badges, key cards and closed circuit TV.
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN) .
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Baltimore
Longitudinal Study of Aging [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02--4303-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 Clinical, Basic and Population-based- Research
Studies
5. OMB Information Collection Approval Number: CE 08-01-01 clinically exempt, per NIH
OMB Project Clearance Branch
6. Other Identifying Number(s): Westat PID 8807
7. System Name (Align with system Item name): NIH NIA Baltimore Longitudinal Study of
Aging (BLSA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Luigi Ferrucci
10. Provide an overview of the system: The NIA supports the Baltimore Longitudinal Study of
Aging (BLSA), America's longest-running scientific study of human aging, begun in 1958.
BLSA scientists are learning what happens as people age and how to sort out changes due to
aging from those due to disease or other causes. More than 1,400 men and women are study
volunteers. They range in age from their 20s to their 90s. BLSA study data comprises clinical
data, data from questionnaires, cognitive tests, physical exams, and medical histories and other
diagnostic test and images. BLSA databases are used by researchers at the NIA Clinical
Research Branch’s Longitudinal Studies Section. BLSA data comprises both Personally
Identifiable Information (PII) and de-identified data used in analysis by NIA researchers.
Appointment and authority is given to the National Institutes of Health under the Public Service
Act.
IDEAL is an extension of the Baltimore Longitudinal Study on Aging (BLSA). NIA’s goal for
the IDEAL recruitment effort is to enroll 500 healthy individuals aged 80 or older over the 5-
year term of the contract. The IDEAL Study cohort will be compared to current BLSA
participants over age 80 who are no longer healthy or fully functional. IDEAL subjects will be
followed for life with yearly visits. A secondary objective of the IDEAL Study is to identify
physiological, environmental, and behavioral characteristics that are risk factors for loss of a
person’s healthy aging status over time. The IDEAL-SMS stores, processes, and transmits all
information related to the study including data gathered from individuals enrolled in the study,
staff and agency contact information, study data and reports, and other electronic and hardcopy
information.
The IDEAL-SMS collects and maintains a variety of information types. Volunteers identified
through this recruitment effort will participate in up to two rounds of eligibility screening: Stage
One is a telephone interview, and Stage Two is a home visit that includes physical examination,
cognitive testing, a resting electrocardiogram, and a blood draw. In addition to the identifying
information used to locate and contact study participants, the system will store, process, and
transmit examination and testing results, electrocardiogram hardcopy and data, and blood
analysis data. Contact information is not submitted by the participants. Participation in the
study is voluntary.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Information regarding potential disclosure practices is
further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the
Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The personal information
collected includes: name, mother’s maiden name, date of birth, (voluntary) SSN, mailing
address, phone number, medical record numbers, notes and email address. Information is used in
examining the clinical questions addressed by the study, and to contact the consenting
participants with the results of testing and to collect clinical follow-up information. The
information collected is the minimum required to accomplish the stated mission. The information
collected contains PII. Submission of personal information is voluntary.
The IDEAL-SMS collects and maintains a variety of information types. Volunteers identified
through this recruitment effort will participate in up to two rounds of eligibility screening: Stage
One is a telephoneinterview, and Stage Two is a home visit that includes physical examination,
cognitive testing, a resting electrocardiogram, and a blood draw. In addition to the identifying
information used to locate and contact study participants, the system will store, process, and
transmit examination and testing results, electrocardiogram hardcopy and data, and blood
analysis data. Contact information is not submitted by the participants. Participation in the
study is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Noprocesses are in place to notify and obtain consent
from the individuals whose IIF is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
All participants sign an informed consent form acknowledging their voluntary participation in
the study and their rights under HIPAA. (Refer to the Privacy Act systems notice 09-25-0200
section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a
summary of the notice of uses of information.)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: Guards, Identification
badges, key cards and closed circuit TV
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)
Information will be secured on the system through access controls, personnel security awareness
and training, regular auditing of information and information management processes, careful
monitoring of a properly accredited IDEAL-SMS information system, control of changes to the
system, by appropriate planning and testing of configuration management and contingency
processes, by ensuring that all users of the IDEAL-SMS are properly identified and authorized
for access and are aware of and acknowledge the system rules of behavior, by ensuring that any
contingency or incident is handled expeditiously, properly maintaining the system and regulating
the environment it operates in, by controlling media, by evaluating risks and planning for
information management and information system operations, by ensuring that the system and
any exchange of information is protected, by maintaining the confidentiality and integrity of the
IDEAL-SMS, and by adhering to the requirements established in the contract and statement of
work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Clinical Research
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 Clinical, Basic and Population-based Research
Studies
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA Clinical Research System (CRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Linda Jo Byrd
10. Provide an overview of the system: The Clinical Research System is a product of the
Clinical Research Branch of the NIA Intramural Research Program. It collects personal
information on the participants of the Baltimore Longitudinal Study on Aging as well as clinical
research studies. The system is physically located on the 5th floor of the Harbor Hospital Center
in Baltimore, Maryland.
Appointment and authority is given to the National Institute on Aging under Public Service Act,
Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f,
285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and
44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm for the allowed disclosures of IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information is collected
during the initial and subsequent visits to the clinical research branch. The PII includes: name,
mother’s maiden name, date of birth, social security number, mailing address, phone number,
medical record numbers, notes and email address. Information is used to contact the consenting
participants with the results of testing, to collect follow-up information, and as part of the clinical
research. The information collected is the minimum required to accomplish the stated mission.
Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose IIF is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
All participants sign an RRB-approved informed consent form acknowledging their voluntary
participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-
0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm, for a summary of the notice of uses of
information.)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: Guards, Identification
badges, key cards and closed circuit TV
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA CollectionPro
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0024
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIA CollectionPro
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Porter
10. Provide an overview of the system: The NIA CollectionPro is a Web-based application
that facilitates management of non-appropriated accounts, comprising unconditional and
conditional gift fund contributions as well as payments related to cooperative research and
development agreements (CRADA). The system includes the ability to manage gift fund and
CRADA accounts, record individual collections, upload NIH Business System (NBS) obligations
summed at the NIH common accounting number (CAN) level, reconcile advice of allotments,
track Investment information, and generate routing documents and letters of acceptance or
acknowledgement. The included reports provide a real time balance available for each of the
accounts, offer insight into the relationship between the advice of allotment, investments, and
funds available for obligation, and identify the new collections included in each of the reconciled
advice of allotments received from the NIH Office of Financial Management (OFM). Donors do
not have access to the NIA CollectionPro website.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Donor’s check number,
donor’s name or company name, donor’s address, donor type (private, etc.), and donor’s account
name.
(2) The information is used to manage, reconcile, and report gift funds made to the NIA.
(3) The information contains PII.
(4) Submission of PII is voluntarily provided to NIA personnel over the phone.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) There is no formal procedure in place to notify
individuals when the system changes.
(2) Donors initiate the process and voluntarily provide their PII by phone to NIA personnel. NIA
personnel enter the donor’s PII into the system.
(3) If the donor asks, NIA personnel will explain by phone that a) the PII is used to manage non-
appropriated accounts and b) the PII is not shared, but is used to generate letters back to the
donor and, if requested, also to the honored person or recipient research program.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls: Security Plan, file
backups, offsite storage, security awareness training, role-based access, and policies for retention
and destruction of PII.
Technical controls: User ID, passwords, firewall, VPN, IDS, and PKI.
Physical controls: Guards, Identification badges, key cards and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Echocardiology PACS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIA Echocardiology PACS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Linda Jo Byrd
10. Provide an overview of the system: The NIA Echocardiology Picture Archiving and
Communications System (PACS) provides acquisition, archiving, transmission, display, and
management of imaging exams and studies. Compliant with DICOM and HL-7 standards, the
NIA Echocardiology PACS eliminates ultrasound films and enables simultaneous access to
digital images and research data at multiple locations. The system features Web-based access to
digital images and text for off-site viewing.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The personal information
collected during the initial and subsequent visits to the clinical research branch. This information
includes: name, mother’s maiden name, date of birth, social security number, mailing address,
phone number, medical record numbers, notes and email address. Information is used to contact
the consenting participants with the results of testing, to collect follow-up information, and as
part of the clinical research. The information collected is the minimum required to accomplish
the stated mission. The information contains PII. Submission of personal information is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
All participants sign an IRB-approved informed consent form acknowledging their voluntary
participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-
0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm, for a summary of the notice of uses of
information.)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls: data access
policies
Physical controls: Guards, Identification badges, key cards and closed circuit TV
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA ERP Web
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011?
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-3109-00-304-104
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA ERP Web
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Valdez
10. Provide an overview of the system: The NIA Extramural Research Program (ERP) Web
comprises the NIA public Websites. The NIA public Website http://www.nia.nih.gov/ provides
Web-based worldwide access to NIA public information. The public portion of the NIA website
has no identification/authentication of visitors or encryption of traffic between the Web server
and user browsers. Appointment and authority is given to the National Institute on Aging under
Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f,
285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and
44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII collected, stored, or processed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No PII collected, stored, or
processed. No Submission of personal information.
Information on the ERP Web website http://www.nia.nih.gov/ comprises NIA health information
publications, clinical trials descriptions, public service ads, links to related sites, links to health
and aging organizations, extramural research program descriptions, intramural research
descriptions, materials from NIA conferences, workshops, and meetings, information on NIH's
inclusion policies, and descriptions of scientific resources.
No PII on ERP Web site.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A--No PII collected, stored, or processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII collected, stored, or processed.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Healthy Aging in
Neighborhoods of Diversity across the Life Span [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 Clinical, Basic and Population-based Research
Studies
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA Healthy Aging in Neighborhoods
of Diversity across the Life Span System (HANDLS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alan Zonderman
10. Provide an overview of the system: The HANDLS system is a product of the Research
Resources Branch of NIA Intramural Research Program. It collects personal information on the
participants in the HANDLS study. The system is physically located in the Biomedical Research
Center in Baltimore, Maryland. Appointment and authority is given to the National Institute on
Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d,
285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a,
289c, and 44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The personal information
collected includes: name, date of birth, social security number, mailing address, phone number,
medical record numbers, notes and email address. Information is used in examining the clinical
questions addressed by the study, and to contact the consenting participants with the results of
testing and to collect clinical follow-up information. The information collected is the minimum
required to accomplish the stated mission. The information contains PII. Submission of personal
information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
All participants sign an RRB-approved informed consent form acknowledging their voluntary
participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-
0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm, for a summary of the notice of uses of
information.)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: Gards, Identification
badges, key cards and closed circuit TV.
Technical controls: User ID, passwords, firewall, VPN, IDS.
Administrative controls: system security plan, contingency plan, files are backed up regularly,
backups are stored offsite, contract clauses ensuring adherence to privacy provisions and
practices, least privilege through role-based access, and policies for retention and destruction of
PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA IRP Web
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 Clinical, Basic and Population-based- Research
Studies
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA IRP Web
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alan Zonderman
10. Provide an overview of the system: NIA Intramural Research Program (IRP) Web is a
suite of Web-enabled applications in Baltimore, MD, that supports NIA IRP clinical research and
administrative activities. Appointment and authority is given to the National Institute on Aging
under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e,
285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c,
and 44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures. While this system does not intend to share or disclose any PII, the
system of record 09-25-0200 indicates some potential disclosure of information practices.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The personal information is
collected from a Website. This information includes: name, street address, telephone number,
email address, date of birth, gender, height, weight, ethnic background, medications currently
taken, and comments. The information is used to screen the potential participants in clinical
research. The information collected is the minimum required to accomplish the stated mission.
The information contains PII. Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Participants supply basic personal identifying
information during the intake process to the Clinical Research Branch. All participants sign a
consent form acknowledging their anonymity and rights under HIPAA. Refer to system of
record 09-25-0200 for a detailed summary. No process for notifying individuals when major
changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: guards, identification
badges, key cards, and closed circuit TV.
Technical controls: user IDs, passwords, firewall, VPN, IDS.
Administrative controls: system security plan, contingency plan, files are backed up regularly,
backups are stored offsite, contract clauses ensuring adherence to privacy provisions and
practices, least privilege through role-based access, and policies for retention and destruction of
PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Magnetic Resonance
Imaging Picture Archiving and Communications System of NIA [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIA MRI PACS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Linda Jo Byrd
10. Provide an overview of the system: The NIA MRI Picture Archiving and Communications
System (PACS) provides acquisition, archiving, transmission, display, and management of
imaging exams and studies. Compliant with DICOM and HL-7 standards, the NIA MRI PACS
eliminates radiological films and enables simultaneous access to digital images and research data
at multiple locations. The system features Web-based access to digital images and text for off-
site viewing.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The personal information
collected during the initial and subsequent visits to the clinical research branch. This information
includes: name, mother’s maiden name, date of birth, social security number, mailing address,
phone number, medical record numbers, notes and email address. Information is used to contact
the consenting participants with the results of testing, to collect follow-up information, and as
part of the clinical research. The information collected is the minimum required to accomplish
the stated mission. The information contains PII. Submission of personal information is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
All participants sign an IRB-approved informed consent form acknowledging their voluntary
participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-
0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0200.htm, for a summary of the notice of uses of
information.)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls: data access
policies
Physical controls: Guards, Identification badges, key cards and closed circuit TV
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Microsoft Office
SharePoint Services of NIA [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-3109-00-304-104
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216 "Administration: NIH Electronic Directory (NED),
HHS/NIH"
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIA Microsoft Office SharePoint
Services (MOSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Valdez
10. Provide an overview of the system: The NIH NIA MOSS is a Microsoft Office SharePoint
Services-based NIA Intranet portal. MOSS provides collaboration and data organization tools for
users at the NIA Office of the Director (OD) and Office of Administrative Management (OAM).
MOSS facilitates sharing of OD and OAM business processes, including employee
administration, purchase ordering, and asset management tracking. MOSS document workflow
sites support management of administrative policies and procedures as well as administrative
requests and actions. MOSS search capabilities enable cross-site searching that speeds access to
critical administrative documentation.NIA MOSS comprises the NIA Intranet Websites.
The NIA intranet Website provides Web-based local (NIHnet) access to NIA private information
and applications. (ADAMS Web-based applications are located on the intranet Website. See the
ADAMS PIA.)
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-25-0216 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/0216.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All PII in the system is
queried from the NIH Enterprise Directory (NED) system. PII needed to facilitate NIA Office of
the Director (OD) and Office of Administrative Management (OAM) collaboration includes
name, work phone number, and work email address of NIA employees and contractors.
Submission of information to NED is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system. All PII in the system is queried from the
NIH Enterprise Directory (NED) system.
Refer to the system of record notice 09-25-0216 section entitled ROUTINE USES OF
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES for a summary of the notice of uses of NED information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: guards, identification
badges, key cards and closed circuit TV.
Technical controls: user IDs, passwords, firewall, VPN, encryption, IDS.
Administrative controls: system security plan, contingency plan, files are backed up regularly,
backups are stored offsite, user manual, contract clauses ensuring adherence to privacy
provisions and practices, least privilege through role-based access, and policies for retention and
destruction of PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA NIA ERP Data
Centers [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-3109-00-304-104
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA ERP Data Centers
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Valdez
10. Provide an overview of the system: NIA Extramural Research Program (ERP) Data
Centers in Bethesda, MD. These data centers support NIA ERP administrative activities.
Appointment and authority is given to the National Institute on Aging under Public Service Act,
42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j,
285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII collected, stored, or processed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Server configuration and
event log data is collected and maintained to support data center operations. Data is collected and
maintained as needed to administer servers, SAN, and disk backup system. No PII collected,
stored, or processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A--No PII collected, stored, or processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII collected, stored, or processed.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA NIA IRP Data
Centers [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3109-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA IRP Data Centers
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alan Zonderman
10. Provide an overview of the system: NIA Intramural Research Program (IRP) Data Centers
in Baltimore, MD. These data centers support NIA IRP clinical research and administrative
activities. Appointment and authority is given to the National Institute on Aging under Public
Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h,
285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C.
3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII collected, stored, or processed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Server configuration and
event log data is collected and maintained to support data center operations. Data is collected and
maintained as needed to administer servers, SAN, and tape backup system. No PII collected,
stored, or processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A--No PII collected, stored, or processed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A--No PII collected, stored, or processed.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA NIA NACAnet
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-3109-00-304-104
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0217 "NIH Business System (NBS), HHS/NIH"
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA NACAnet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robin Barr
10. Provide an overview of the system: The National Advisory Council on Aging Network
(NACAnet) is an NIA web application that supports the National Advisory Council on Aging
(NACA) by providing a repository of council-related documents. No transactions are collected or
accomplished on the website, only display of NACA information. NACAnet users comprise NIA
employees and the current NACA council members, some of whom are located outside NIH at
academic facilities. Appointment and authority is given to the National Institute on Aging under
Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f,
285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and
44 U.S.C. 3101.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217
section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM,
INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the
allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Grantee (NIH grant
recipient) personal information maintained comprises: name, mailing address, phone number,
financial account information, and employment status. The data is used for NACA planning. The
information contains PII. Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system.
When applying for grants or contracts, applicants are informed that personal information is
collected for accurate identification, referral and review by program managers. Refer to the
system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED
IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF
SUCH USES for a summary of the notice of uses of information..
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: guards, identification
badges, key cards and closed circuit TV.
Technical controls: user IDs, passwords, firewall, VPN.
Administrative controls: system security plan, contingency plan, files are backed up regularly,
backups are stored offsite, contract clauses ensuring adherence to privacy provisions and
practices, least privilege through role-based access, and policies for retention and destruction of
PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Position and
Employee Tracking (PET)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-3109-00-304-104
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216 "Administration: NIH Electronic Directory (NED),
HHS/NIH"; 09-90-0018 “Personnel Records in Operating Offices, HHS/OS/ASPER”
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIA Position and Employee Tracking
(PET)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Melissa Fraczkowski
10. Provide an overview of the system: The NIA Position and Employee Tracking (PET)
application is owned and maintained by the Workforce Strategic and Planning Branch (WSPB)
of the NIA Office of Administrative Management (OAM) and is located in Building 31 on the
NIH main campus in Bethesda, MD. The PET application consolidates NIA personnel
information into one location, reducing WSPB reliance on maintaining separate Microsoft Excel
spreadsheets for different categories of personnel information. The PET will be used to maintain
administrative and status information on NIA federal FTE and non-FTE contractors, special
volunteers, intramural research training award recipients (IRTAs), visiting fellows, guest
researchers, and detailees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Some PII in the system is
queried from the NIH Enterprise Directory (NED) and the HHS Capital HR systems and entered
into the PET application. Additional PII comes from spreadsheets maintained by the Workforce
Strategy and Performance Branch (WSPB). Types of PII include name, NIH badge number,
Capital HR Employee ID, and start and separation dates of NIA employees and contractors. The
information contains PII. Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent
from the individuals whose PII is in the system when major changes, as defined in Section 208 of
the E-Government Act of 2002, occur to the system. All PII in the system is queried from the
NIH Enterprise Directory (NED) and HHS Capital HR systems and entered into the PET
application.
Refer to the system of record notice 09-25-0216 section entitled ROUTINE USES OF
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES for a summary of the notice of uses of NED information.
Refer to the system of record notice 09-90-0018 section entitled ROUTINE USES OF
RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES for a summary of the notice of uses of Capital HR
information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls for Building 31 and the
Gateway Building include: guards, identification badges, key cards and closed circuit TV.
Technical controls for the server and PET applications include: user ID, passwords.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Social Research
System (SRS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): none
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIA Social Research System (SRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Partha Bhattacharyya
10. Provide an overview of the system: The NIH NIA Social Research System (SRS) is a
general purpose workstation (Dell Precision T7500 PC with Windows 7) with statistical
programs STATA and SAS for analysis of deidentified Medicare and Social Security
Administration data by Partha Bhattacharyya, PhD, of the National Institute on Aging (NIA)
Division of Social and Behavioral Research (DSBR). Dr. Bhattacharyya will personally conduct
all analyses performed on the SRS and share aggregate, de-identified results with collaborators.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A. No PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information in the
system comprises deidentified Medicare claims records data (diagnosis codes, reimbursement,
and date of service), deidentified Social Security earnings file data (income), and deidentified
hospital discharge data (diagnosis codes, reimbursement, and date of service). The information is
used in examining the clinical questions addressed by the study. The information does not
contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A. No PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A. No PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIA Status of Funds Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Porter
10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool
that enables NIH ICs to manipulate and report on financial transactions downloaded from the
Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance
database comprises data downloaded from the NIH Business System.) Appointment and
authority is given to the National Institutes of Health under 5 U.S.C. 301 and 302, 44 U.S.C.
3101 and 3102, Executive Order 9397.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A. No PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIA accounting transactions
are downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH
DW Budget & Finance database comprises data downloaded from the NIH Business System.)
The data is used to plan, track, and report on NIA fiscal budgets.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A. No PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A. No PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIA Telework NIA
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018 "Personnel Records in Operating Offices,
HHS/OS/ASPER"
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NIH NIA Telework
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Melissa Fraczkowski
10. Provide an overview of the system: The Telework system in an enterprise system hosted
by NIA. This enterprise system is also used by CSR, NHGRI, NIMHD, NIDA, NHLBI,
NCATS, NIBIB, NIDCD, NIDDK, and OD. The system supports the federal Telework initiative
by providing an online Telework application repository and approval workflow. After an
employee completes an online Telework application form, the application moves through an
electronic approval process. Upon approval of the application, the applicant receives an email
notification of their application status. The applicant then completes an online Home Office
Evaluation form. The Telework system also enables automatic renewals, automatic changes, and
online termination of telework approval.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time. Refer to the system of record 09-90-0018 section entitled
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING
CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES
http://oma.od.nih.gov/ms/privacy/pa-files/09900018.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Telework system
collects and maintains voluntarily submitted PII needed to support the federal Telework
initiative, including employee name,supervisor name, NIH employee badge number, job title and
grade, IC, division, building and room numbers, work phone and fax, email address, home
address, and home phone and fax numbers. The information is used to manage Telework
applications, approvals, renewals, changes, and terminations. The information contains PII.
Personal information submission is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All PII in the Telework system is submitted by
Telework applicants during the application process. At login, the Telework system displays a
Privacy Statement that describes use of collected data.
No processes are in place to notify and obtain consent from the individuals whose PII is in the
system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur
to the system.
Refer to the system of record 09-90-0018 section entitled ROUTINE USES OF RECORDS
MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE
PURPOSES OF SUCH USES for a summary of the notice of uses of information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls: guards, identification
badges, key cards and closed circuit TV. Technical controls: user ID, passwords, firewall, Virtual
Private Network (VPN).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA EMPLOYEE
DATABASE internet edition (EDiE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3196-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Employee Database Internet Edition
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Patricia Scullion
10. Provide an overview of the system: EDiE is an intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior administrative use only and will not be shared by
other entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDiE tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, nVision Data
Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a
time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any
break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary
equality for various hiring mechanisms; d) providing reports to the NIH Director, the IC
Director, and other management staff as requested; and e) maintaining lists of non-FTEs, special
volunteers, contractors, and other hiring appointments. The information collected constitutes PII
and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDiE is accessed by a very
limited number of administrative staff with a “need-to-know” status. Only authorized users have
access to PII data. PII contained in the system is protected through NIH Active Directory
account and password management, and inheritied NIH policies and procedures. Secure socket
layer protocol (SSL) is used to encrypt data in transit. The system is located in a secure network
room behind a firewall. Users receive NIH rules of behavior training. All personnel not having
card key access to the server room are escorted and required to sign in. Access to the building
and its hallways is recorded on video 24 hours a day (recorded - not CCTV).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA FINEX
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAAA FinEx
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Casady
10. Provide an overview of the system: The FinEx application is a centralized, internet-based
relational database environment that stores data and business rules (procedures) required to
maintain the Extramural grant budget. The FinEx applicaiton includes the tools necessary to
estimate, award, obligate, forecast and report on grant budgets in the Extramural program.
In its in-production state, FinEx resides on the NIAAA-FINSOF server as a .Net, web-developed
application. Its interdependences on other resources (or dynamically-linked libraries (DLLs)) are
fully compiled into the installed version of FinEx on NIAAA-FINSOF. NIAAA-FINSOF serves
as the web application. The database on which FinEx is dependent resides on NIAAA reosurces,
SQL Server 2000 database server. FinEx utilizes, but is not dependent on NIH CIT resources for
supplemental data (e.g. IRDB-an Oracle database warehouse server and DataWarehouse-an IBM
mainframe finance data warehouse).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII is obtained from the eRA system in the administration of research grants IAW SOR#09-25-
0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Financial Grant information.
The FinEx application is a centralized, Internet-based relational database environment that stores
data and business rules (procedures) required to maintain the extramural grant budget. The
FinEx application includes the tools necessary to estimate, award, obligate, forecast and report
on grant budgets in the extramural program. The type of PII collected and contained in NIAAA
FinEx are applicant "names" and is obtained from the eRA system and is a required part of the
grants submission process. Since PII is required for the grants submission process, it is a
mandatory requirement of FinEx. This PIA is only viewed by the NIAAA Budget Office.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII is submitted as a part of the grants application
process. Information used by the NIAAA FinEx is taken from the eRA grant application.
Notification and consent from the individual is assumed when the grant application is submitted.
All notification and consent is taken care of via the grant application submission process and
eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role based security and NIH Active
Directory authentication with a user name and password are used, and group access permissions
are used to secure the application and it's data. Users are only allowed access on a least
privilege, need-to-know basis, and receive NIH rules of behavior training. The system resides
behind a firewall and is in a server room with no external access. All personnel not having card
key access to the server room are escorted and required to sign in. Access to the building and its
hallways is recorded on video 24 hours a day (recorded - not CCTV).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA NESARC3 Study
Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): Westat Internal Project ID 8690
7. System Name (Align with system Item name): NIH NIAAA National Epidemiologic
Survey on Alcohol and Related Conditions III Study Management System (NESARC3-SMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bridget Grant, Ph.D, Ph.D
10. Provide an overview of the system: The information is collected under 42 USC 285n and
participation in the NESARC-III is voluntary. The information contains PII and information is
shared in accordance with the guidance in the System of Records Notice 09-25-0200. The
NESARC-III is a nationally representative survey of the U.S. population (N=46,500). The
NESARC-III will collect information on alcohol use practices and alcohol use disorders and their
associated physical (e.g. liver cirrhosis) and psychological (e.g. depressed mood) disabilities and
also DNA through saliva samples. There are two small methodological components (N=1700)
that collect information on reliability and validity. The major purpose of the information is to
determine the prevalence, distribution, treatment and health disparities and economic costs and to
identify environmental and genetic risk factors and their interactions for these conditions.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information stored in the system is shared in accordance with the routine uses outlined in NIH
Systems of Record Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information is collected
under 42 USC 285n and participation in the NESARC-III is voluntary. The information contains
PII and information is shared in accordance with the guidance in the System of Records Notice
09-25-0200. The NESARC-III is a nationally representative survey of the U.S. population
(N=46,500). The NESARC-III will collect information on alcohol use practices and alcohol use
disorders and their associated physical (e.g. liver cirrhosis) and psychological (e.g. depressed
mood) disabilities and also DNA through saliva samples. There are two small methodological
components (N=1700) that collect information on reliability and validity. The major purpose of
the information is to determine the prevalence, distribution, treatment and health disparities and
economic costs and to identify environmental and genetic risk factors and their interactions for
these conditions. Information collected includes background information, including
sociodemographic variables; alcohol use practices, disorders and alcohol related social,
psychological and physical consequences; symptoms scales indexing major mood, anxiety, and
eating conditions that frequently co-occur with alcohol and drug use disorders; tobacco,
medicine and drug use and disorders and related social, psychological, and physical
consequences; selected personality traits, including behavior; alcohol, drug, and mental health
treatment utilization; medical conditions related to alcohol consumption; care giving roles;
discrimination in health care; race-ethnicity; gender; income; sexual orientation; physical
disability; acculturation; perceived stress and social support; adverse childhood experiences and
intimate partner violence; nativity; generational status; sexual orientation; age at first intercourse;
presence of HIV/AIDS and other medical disease; health insurance coverage; and executive
functioning.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals whose information is in the system only
interact with the system to respond to the surveys. No changes will be made to the information
that they provide. Respondents are notified and consent is obtained regarding PII collected from
them through advance letters, informational study materials and written notice on consent. The
information will be used for research purposes and shared in accordance with the guidance in
System of Records Notice 09-25-0200.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information will be secured on the system
through access controls, personnel security awareness and training, regular auditing of
information and information management processes, careful monitoring of a properly accredited
NESARC3-SMS information system, control of changes to the system, by appropriate planning
and testing of configuration management and contingency processes, by ensuring that all users of
the NESARC3-SMS are properly identified and authorized for access and are aware of and
acknowledge the system rules of behavior, by ensuring that any contingency or incident is
handled expeditiously, properly maintaining the system and regulating the environment it
operates in, by controlling media, by evaluating risks and planning for information management
and information system operations, by ensuring that the system and any exchange of information
is protected, by maintaining the confidentiality and integrity of the NESARC3-SMS, and by
adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA NIAAA General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-0200-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAAA General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jonathan Folkers
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA SOFie
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Status of Funds internet edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Casady
10. Provide an overview of the system: SOFie is a Web based application employing
Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several
offices and branches within NIAAA, allowing budget offices to track expenditures of direct,
reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect
budget allocations and projected expenditures at the operating level. The program also contains a
tracking mechanism to track prior year funds. The application downloads this information from
the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded
into the NIH Data Warehouse database. SOFie is not a source database for other information
systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting data and related
document information is downloaded from the Central Accounting Mainframe (Data Warehouse
Budget and Finance) and is relevant or specific to NIAAA for its fiscal year operations. No IIF
information is contained in SOFIE.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID ARAC Review
(ARAC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-8520-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIAID AIDS Research Advisory
Committee (ARAC) Review
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: The ARAC system serves as a communication tool for
committee members and the NIAID office that coordinates the meetings. It provides a web
accessible interface for DAIDS to:
· post timely information on upcoming ARAC meetings
· receive feedback on concepts from meeting participants (members)
· send emails containing system related information to active users
· maintain a searchable archive of past meetings, concepts, and participants
The ARAC system is a role based secure tool with three different levels of users; administrators,
members, and viewers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information on committee members who particpate in the application review process will be
maintained, and may be shared with other authorized users. This includes the user name, degree,
title, work address, work phone number, and work email address. Per SORN 09-25-0036,
Disclosure may be made to qualified experts not within the definition of Department employees
as prescribed in Department regulations for opinions as a part of the application review process.
Disclosure may be made to a private contractor or Federal agency for the purpose of collating,
analyzing, aggregating or otherwise refining records in this system. The contractor or Federal
agency
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information on committee
members who particpate in the application review process will be maintained, and may be shared
with other authorized users. This includes the user name, degree, title, work address, work phone
number, and work email address. Per SORN 09-25-0036, Disclosure may be made to qualified
experts not within the definition of Department employees as prescribed in Department
regulations for opinions as a part of the application review process. Disclosure may be made to a
private contractor or Federal agency for the purpose of collating, analyzing, aggregating or
otherwise refining records in this system. Commitee members whose names and contact
information is contained on the system have submitted it voluntarily and are informed that it will
be used to assist in communication and the review process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Written consent is obtained from members when
personal (contact) information is collected.
The intended use for the information is described in writing at the time of collection.
Members are informed of the use of the application (ARAC), that it will contain their names and
contact information. Changes to the system are discussed with all members during business
communications, including written correspondence.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized Users: Employees who maintain
records in this system are instructed to grant regular access only to NIH extramural and advisory
committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-
time and special access by other employees is granted on a need-to-know basis as specifically
authorized by the System manager.
Physical Safeguards: Physical access to NIH work areas is restricted to employees. Physical
access to the Office of Technology Information Systems (OTIS) work areas is restricted to OTIS
employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work
areas is restricted to OFACP employees. Access to the contractor performance files is restricted
through the use of secure socket layer encryption and through an IBM password protection
system. Only authorized government contracting personnel are permitted access. Access is
monitored and controlled by OTIS.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records
may be removed from files only at the request of the System manager or other authorized
employee. Access to computer files is controlled by the use of registered accounts, registered
initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Biological
Specimen Inventory II (BSI-II)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Biological Specimen Inventory
II (BSI-II)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tram Huyen, 301.451.2898
10. Provide an overview of the system: NIAID is a data-intensive organization, highly reliant
on the effective and efficient management of large volumes of clinical biospecimen data to
accomplish its research mission. To address the tracking and management of its clinical
biospecimens while ensuring compliance with recent Congressional reporting requirements and
other Federal regulations, NIAID implemented the Biological Specimen Inventory-II (BSI-II)
system. This system is operated by a contractor working on NIAID's behalf; Information
Management Services, Inc. (IMS),
The BSI-II system is designed to track laboratory specimen inventories from a single laboratory
up to an enterprise-level biorepository. The system provides the following capabilities:
· Specimen Management
· Requisition/Workflow Tracking
· Freezer/Inventory Management
· Comprehensive Reporting
· Shipment and Discrepancy Tracking
The BSI-II system runs on all major operating systems and can accommodate a large number of
records and concurrent users. The system can be accessed via two implementations: a Java-
based client application and a Web-based application.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Researchers who are Authorized users can view the data for research purposes. Note that this
system does not match IIF against other computer systems, and no other organizations or
systems are dependent upon the IIF contained in this system. Additionally, per SORN 09-25-
0200, routine uses of records maintained in the system, including categories of users and the
purposes of such uses, are as follows:
A record may be disclosed for a research purpose, when the Department: (A) has determined that
the use or disclosure does not violate legal or policy limitations under which the record was
provided, collected, or obtained; e.g., disclosure of alcohol or drug abuse patient records will be
made only in accordance with the restrictions of confidentiality statutes and regulations 42
U.S.C. 241, 42 U.S.C. 290dd-2, 42 CFR Part 2, and where applicable, no disclosures will be
made inconsistent with an authorization of confidentiality under 42 U.S.C. 241 and 42 CFR Part
2a; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless
the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of
the individual that additional exposure of the record might bring; (C) has required the recipient to
(1) establish reasonable administrative, technical, and physical safeguards to prevent
unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies
the individual at the earliest time at which removal or destruction can be accomplished consistent
with the purpose of the research project, unless the recipient has presented adequate justification
of a research or health nature for retaining such information, and (3) make no further use or
disclosure of the record except (a) in emergency circumstances affecting the health or safety of
any individual, (b) for use in another research project, under these same conditions, and with
written authorization of the Department, (c) for disclosure to a properly identified person for the
purpose of an audit related to the research project, if information that would enable research
subjects to be identified is removed or destroyed at the earliest opportunity consistent with the
purpose of the audit, or (d) when required by law; and (D) has secured a written statement
attesting to the recipient's understanding of, and willingness to abide by, these provisions.
Disclosure may be made to a Member of Congress or to a Congressional staff member in
response to an inquiry of the Congressional office made at the written request of the constituent
about whom the record is maintained.
The Department of Health and Human Services (HHS) may disclose information from this
system of records to the Department of Justice when: (a) The agency or any component thereof;
or (b) any employee of the agency in his or her official capacity where the Department of Justice
has agreed to represent the employee; or (c) the United States Government, is a party to litigation
or has an interest in such litigation, and by careful review, the agency determines that the records
are both relevant and necessary to the litigation and the use of such records by the Department of
Justice is, therefore, deemed by the agency to be for a purpose that is compatible with the
purpose for which the agency collected the records.
Disclosure may be made to agency contractors, grantees, experts, consultants, collaborating
researchers, or volunteers who have been engaged by the agency to assist in the performance of a
service related to this system of records and who need to have access to the records in order to
perform the activity. Recipients shall be required to comply with the requirements of the Privacy
Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
Information from this system may be disclosed to Federal agencies, State agencies (including the
Motor Vehicle Administration and State vital statistics offices, private agencies, and other
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The collection of IIF is a
voluntary process that is routinely done as a part of a clinical protocol. The collection of this
information and the subsequent handling of that information is detailed in the consent forms
associated with a given clinical protocol.
The IIF collected and stored in the BSI-II system may include:
· Adoption Status
· Age
· Date of Birth
· Date of Death
· Date of Last Status
· Deceased Status
· Diagnosis
· Email Address
· Ethnicity
· Family Information
· Medical Notes
· Medical Records Numbers
· Patient Name
· Clinician Name
· Phone Number
· Sex
· Suffix
· Vitals status
· Medications
· Protocol #(s)
· Confidentiality Agreement # or exemption
· Collection Site Name
· Collection Site Address
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Informed Consent is obtained from all participants in
writing before they are enrolled in a clinical protocol. The informed consent documents what
information is collected and how it will be used, as well as providing a point of contact for each
protocol.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF will be secured in a similar fashion
to that of other data stored in the system. Briefly, security measures include:
Transmission
All communication between the client application and the BSI transaction servers will be
encrypted using a 128-bit algorithm. All HTTPS communications, including the web-based
client application, will use ASE 256-bit encryption between the client and the server. In addition,
IMS will maintain both production HTTP and HTTPS (secure) servers on the Internet for file
transfers. The HTTP servers are utilized for day to day file transfers of publicly available data.
System Monitoring
Automated audit trails are monitored on all server-based systems deployed at IMS. File usage
logging will be done for files specified by the NIAID. Audit records and server logs will be
reviewed daily for anomalies. An automated reporting tool will be used to analyze the server
logs to look for abnormal activity. Automated audit trails also play an important part in
governing the access granted to users outside the Contractor’s Local Area Network (LAN). A
firewall is in place that logs all incoming and outgoing connections to the LAN. This includes
connections to the UNIX/Linux workstations and the Windows servers. This log will be maintain
and checked for evidence of attempted unauthorized access to the Contractor’s LAN.
Client Application
The BSI-II system maintains a full audit-trail on all data and meta-data modified in the system.
This includes what was changed, when, how, and by whom. These logs will be maintained
within the database and will be not editable, but will be available for query and review by
authorized staff. Access to the system requires a valid username and password. All
communication between the client and server uses encrypted sockets to protect the data. Access
to system functions are granted by role-based assigned privileges.
Computer Center Administrative and Physical Safeguards
IMS’ Standard Operating Procedure (SOP) for Computer Resource Security details the standards
and processes used to ensure the security of the computer resources and data. All IMS employees
will be required to read and follow this SOP.
IMS’ computer center has facilities in Silver Spring, MD and in Sterling, VA. The Sterling,
Virginia site will be used for production services that require 24/7 accessibility. This site has
personnel on site 24-hours a day in a facility that requires a key card and fingerprint for access.
The facility also provides protection against fire and flood with highly sensitive monitoring
equipment. Generators are available to provide continuous electricity in case of a main power
failure.
The Silver Spring computer center is in a separate office with a key coded access lock. Each
person authorized to access the computer center has a personal ID and password that must be
entered each time the door is opened. A log of any attempt to enter the computer center is
maintained. This log is routinely reviewed to identify any potential security risks. Visitors are
never allowed into the computer center at either site. Maintenance and repair personnel will be
escorted into the computer room and then monitored until all work is complete.
IMS employs firewalls with Intrusion Detection capabilities to secure the network perimeter.
The firewalls are continually monitored. Reports are distributed to authorized administrators
twice daily for their review. Computer center staff performs weekly security checks using
Security Auditor's Research Assistant (SARA), a third generation UNIX-based security analysis
tool. IMS routinely reviews the security check results and rectifies any identified potential
security vulnerabilities.
Registration of authorized users on IMS’ Network is controlled by the IMS system administrator.
To enter the network, the user must have an authorized user ID and a password which must be
changed every 90 days. Network privileges are establish
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Clinical Research
Information Management System of NIAID [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Clinical Research Information
Management System of NIAID (CRIMSON)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bill Barrick
10. Provide an overview of the system: The Clinical Research Information Management
System of the NIAID (CRIMSON) is a Major Application used by the NIAID outpatient clinics
in support of their clinical research trials. CRIMSON was developed around a novel model that
reduces or eliminates duplicate data entry of research study participant information. CRIMSON
combines electronic medical record functionality with clinical trials management functionality
into one system. CRIMSON automatically integrates laboratory data from multiple sources,
along with entered clinical observation data, into one data repository of clinical research protocol
information. Information is then available to investigators for clinical and research usage via
standard reports, monitoring reports, ad-hoc queries, statistical analysis, graphical display, etc.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Sharing is limited to medical consultation within the organization. In addition, PII (progress
notes and lab data) are shared with the NIH Clinical Center Medical Records Department for
patient care and clinical research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The system is an
electronic health record. The program will collect patient encounter information including
medical histories, examinations, treatment plans, interventions and the outcomes of those
interventions. Documentation of family histories and health events may include identifiers of
both the individual and family members. Documentation of common contact information (e.g.,
address, phone number, e-mail address) is required for safety purposes and to maintain
continuity of the provider-patient relationship. The system does not collect Social Security
numbers. (2) The information is used in the conduct of clinical research, health management,
health education of the individual patient or family, and teaching in a professional program of
medical education. (3) The information contains PII, including name, date of birth, address,
phone number, e-mail address, and medical data. (4) All information submitted by patients is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A number of federal and local agencies oversee and
direct this process including the Institutional Review Board for Human Subjects Protection, the
Clinical Center Medical Records Department, and the Office of Human Subjects Protections.
(1) When an initiative arises in which historical data or specimens are desired for use in ways not
covered by prior consent, the Institutional Review Board reviews and advises on the scope of
consent. In many cases the IRB requires re-consent with the patient or requires that program
refrain from data or specimen uses not previously consented. (2) Patients in this program
undergo a informed consent counseling from no fewer than two separate allied health
professionals. Consent is obtained in an interview with a physician and affirmed by the patient in
writing. Notification and consent to obtain information and specimens is managed in the Consent
to Treat and Consent to Participate in Clinical Study procedures. Patients are extensively
counseled on the meaning and implications of both and then affirm their understanding in
writing. (3) Patients are notified during the consent process how their information will be used
and that it may be shared with health care professionals and research staff.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System access is granted by the Project
Officer (COTR) for purposes of conducting health care or clinical research. Allied Health care
professionals with direct patient contact and access to the system are credentialed by the
appropriate hospital authorities. Other logistical and scientific staff are granted access based on a
“least permissions” model appropriate to their role in the care or research process. All persons
with access to the system are covered by appropriate nondisclosure agreements, have completed
NIH security training, and been instructed in the appropriate management of IIF.
Electronic access to the system is restricted to persons with credentials that include a password
and logon. NIH policies apply to password complexity and change frequency. Access lists are
reviewed every 6 months to ensure currency. Individual access may be reviewed on an as needed
basis. Data travels only over secured NIH networks. Servers are located in secure physical
locations certified and accredited for appropriate physical access controls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID DAIT Studies
System (DSS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8534-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID DAIT Studies System (DSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: This is a management oversight system designed to
assist the Division of Allergy, Immunology and Transplantation (DAIT) Project Officers (POs)
in managing research projects that include human subjects.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information will not be shared. Per SORN 09-25-0036, disclosures may be made for the
following uses:
Disclosure may be made to the cognizant audit agency for auditing.
Disclosure may be made to a congressional office from the record of an individual in response to
an inquiry from the congressional office made at the request of that individual.
Disclosure may be made to qualified experts not within the definition of Department employees
as prescribed in Department regulations for opinions as a part of the application review process.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Name, personal mailing
address, personal telephone number, and personal email address are the PII that the agency will
collect. It will be used for management oversight to assist DAIT Project Officers (POs) who
manage research projects that include human subjects.
Submission of the information is voluntary as it is part of the application process, but
applications that are submitted without the information could be hindered from processing and
could be declined for insufficient information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is provided by individuals who are
applying for grants. Participation is at the discretion of the individual who applies for the grant or
award. The applicants are informed on the application that the information collected will be used
solely for the management of the grants process and will not be shared. There is no process in
place to notify individuals in the event of a major change to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized Users: Employees who maintain
records in this system are instructed to grant regular access only to NIH extramural and advisory
committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-
time and special access by other employees is granted on a need-to-know basis as specifically
authorized by the System manager.
Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is
restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP)
work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory
Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the
contractor performance files is restricted through the use of secure socket layer encryption and
through an IBM password protection system. Only authorized government contracting personnel
are permitted access. Access is monitored and controlled by OAMP.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records
may be removed from files only at the request of the System manager or other authorized
employee. Access to computer files is controlled by the use of registered accounts, registered
initials, keywords, and similar limited access systems.
These practices are in compliance with the standards of Chapter 45-13 of the HHS General
Administration Manual, "Safeguarding Records Contained in Systems of Records,"
supplementary Chapter PHS hf: 45-13, and the HHS Automated Information Systems Security
Program Handbook.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Employee Database
Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system; Fellowship
Payment System (FPS); nVision Data Warehouse, NIH Enterprise Directory (NED) and the NIH
Foreign National Information System (NFNIS). Uses consist of the following: a) tracking time-
limited appointments and visa information to ensure renewals are done in a timely manner,
thereby avoiding any break in service or immigration implications; b) ensuring that allocated
FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d)
providing reports requested by the NIH Director, the IC Director, and other management staff, as
requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring
appointments. The type of information collected constitutes PII and includes, but is not limited to
the following data elements: name, home address, home phone number, social security number
and date of birth. The PII collected is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse, NED and NFNIS. Changes to HRDB or changes in the way
information is used is relayed to employees via official notices from the NIH Office of Human
Resources (OHR). Individuals are notified of the collection and use of the data as part of the
hiring process. This is a mandatory requirement of potential job applicants seeking employment
at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized Users: The NIAID system
manager(s) authorize access to the system based upon an employee’s official role and job
function within the organization in addition to management approval.
Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is
restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP)
work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory
Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the
contractor performance files is restricted through the use of secure socket layer encryption and
through an IBM password protection system. Only authorized government contracting personnel
are permitted access. Access is monitored and controlled by OAMP. The NIAID Data Center is
restricted by badge access whereby permissions are only provided to limited employees with job
functions requiring such access. In addition, entry to the building is controlled via badge access
and visitors are required to sign in at the guard’s desk and be escorted around the building.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records
may be removed from files only at the request of the System manager or other authorized
employee. Access to computer files is controlled by the use of registered accounts, registered
initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID iMedRIS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A - Minor Application
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID iMedRIS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bill Barrick, Clinical Research
Program Analyst
10. Provide an overview of the system: Submission and management of documents associated
with Institutional Review Board business of the NIAID.
NIAID IRB Submissions (iMedRIS/iRIS) is a commercial software solution intended for use by
the NIAID Institutional Review Board (IRB) Office and its customers including IRB members
and clinical research Investigators. The purpose of the solution is to manage the online
submissions associated with clinical research protocols and the work of those whose
responsibility it is to assure human subjects protections.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Clinical research protocols,
documents supporting human subjects protections as they relate to clinical research protocols
including adverse events that occur during the conduct of such protocols and information items
about clinical research protocols and the business of the Institutional Review Board. No IIF is
contained in any of the documents.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A -
No IIF in system
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID NIAID Clinical
Data Management Suite [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/4/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8523-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAID Clinical Data Management Suite
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Marci
10. Provide an overview of the system: The Enterprise System (ES) is a comprehensive system
that supports DAIDS’ business functions, management, and oversight responsibilities. It is
exclusively for the use of administrators and research staff, and contains no clinical trials data,
which are maintained in other systems not connected to the ES. Its components include:
· SharePoint Portal – a common access point for DAIDS staff inside NIAID; not reachable
from outside the NIH firewall.
· Protocol Management – central repository for DAIDS network and non-network protocols.
· Protocol Registration – manages registration of sites on protocols.
· Investigational New Drug (IND) Management – IND – tracks and manages IND
submissions to the FDA.
· Master Contact – centralized system for contact info for stakeholders engaged in clinical
research (.e.g., investigators, collaborators, institutions, labs, agencies, pharmaceutical sponsors,
manufacturers). The ES Data Collection Center (EDCC), which is run under a contract managed
by DAIDS, gathers publicly available contact information for staff and enters it for professional
purposes.
· Expedited Adverse Experience Reporting System (DAERS) – expedited reporting of
adverse events in DAIDS sponsored clinical trials. These events are tracked using general
information about trials participants, not specifics such as names or traceable IDs.
Clinical Site Monitoring System – official info source for Clinical Site Monitoring activities
(e.g., tracking of monitoring schedules, assignment requests, site monitoring reports, & issues
identified during site visits).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The ES requires medical officers to provide CVs. For information about protocol registrations,
clinical trials, trial sites, etc., the system relies upon the ES Data Collection Center (EDCC),
managed by an external contractor, to provide business contact information for DAIDS
administrative staff, such as workplace address, institutional affiliation, workplace e-mail,
business phone number and so on. As part of the protocol registration, site management, etc.
processes, the EDCC inputs work contact information supplied by individuals, along with other
information supplied as part of these business processes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The information the
agency will collect, maintain, or disseminate
Organization: Displays the Organization with which the person is affiliated.
Type: Displays the Organization type associated with the organization name, e.g., Clinical Trials
Unit, Clinical Research Site, Pharmacy, etc.
Organization ID: Displays the DAIDS-assigned Organization ID associated with the organization
name, for all organization types except Clinical Research Sites.
Site ID: Displays the DAIDS-assigned Site ID associated with the Clinical Research Sites. The
Site ID will only display if the Organization Type is Clinical Research Site.
Participant Name: Displays the full name of the person meeting the search criteria. The name
appears as an e-mail hyperlink.
Participant Type: Displays the person type associated with the person name, e.g., Federal
Personnel, Site Personnel, Network Personnel, etc.
Participant ID: Displays the Participant ID associated with the Person’s name. This is a number
assigned by the ES to keep track of the person’s work information and status.
Role (Title): Displays the role of the person at the displayed organization and the title in
parentheses.
Address: Displays the business address of the person at the organization.
Contact: Displays the business phone numbers of the person at the displayed organization.
(2) Why and for what purpose the agency will use the information
The Division of AIDS and NIAID collects CVs only in the ES for regulatory purposes.
(3) Explicitly indicate whether the information contains PII.
The PII consists of the contact information which the EDCC may gather from previously self-
submitted data.
(4) Whether submission of personal information is voluntary or mandatory
Mandatory. There is no form or field in the ES for anyone to input or adjust their personal
information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) Notify and obtain consent from the individuals
whose PII is in the system when major changes occur to the system
Medical officers are responsible for uploading their CVs as part of the regulatory process.
(2) Notify and obtain consent from individuals regarding what PII is being collected from them
Beginning with its next formal release, the ES will include a notice on its Master Contact search
results pages. The notice will read: “This system does not solicit Personal Identifiable
Information (PII). It is intended strictly for business use. However, if an individual has provided
PII on a contact form in the past, and that PII is publicly available, that PII may be reflected in
the contact information displayed as a result of a DAIDS-ES search.
(3) How the information will be used or shared
Work information, the CVs will be used to verify the status and credentials of a medical officer.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The ES permits only authorized and
authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-
level HHS/NIH guidelines and directives compliant) and industry-best practices security
measures in place to ensure the system utilizes and ensures the effective use of security controls
and authentication tools to protect privacy to the extent feasible. Risk of unauthorized access is,
therefore, considered low.
Authorized user access to information is limited to authorized personnel in the performance of
their duties. Authorized personnel include system managers and their staffs, and NIH contractors
and subcontractors, all of whom are responsible for administering the DAIDS-ES. Physical
safeguards: Rooms where data servers are kept are continually monitored. During all hours,
rooms are locked and controlled by on-site personnel. Security guards perform random checks on
the physical security of the storage locations after duty hours, including weekends and holidays.
Procedural and Technical Safeguards: A password is required to access the Portal and all its
applications, and a data set name controls the release of data to only authorized users. Codes by
which automated files may be accessed are changed periodically. This procedure also includes
deletion of access codes when employees or contractors leave. New employees and contractors
are briefed and the security department is notified of all staff members and contractors
authorized to be in secured areas during working and nonworking hours. This list is revised as
NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer
Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic
IT security practices and the awareness that knowing or willful disclosure of any sensitive
information can result in criminal penalties associated with the Privacy Act, Computer Security
Act, and other federal laws that apply. This CBT can be found at http://irtsectra-ining.nih.gov/.
User access may be requested only by personnel authorized by the Executive Officer. Users are
not permitted system access until the required system training prerequisites are completed and
they demonstrate the competencies required to fulfill their work responsibilities-. Individuals
remotely accessing the secured areas of the ES Internet sites have separate accounts and
passwords, and all data transmitted between the server and workstations is encrypted.
These practices are in compliance with the standards of Chapter 45-13 of the HHS General
Administration Manual, "Safeguarding Records Contained in Systems of Records,"
supplementary Chapter PHS 45-13, and the Department's Automated Information System
Security Handbook.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID NIAID Intramural
NIAID Research Opportunities Program [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8529-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Intramural NIAID Research
Opportunities Program (INRO)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: INRO introduces minority students to research and
training opportunities in NIAID's Division of Intramural Research and the Vaccine Research
Center. To support this endeavor, INRO system was created. INRO provides an on-line
application process for students interested in the INRO Program, and enables reviewers to assign
ratings and select students for participation. It serves as a resource for INRO program
administrators.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The information that is
collected will be the following:
- Name
- Date of Birth
- Alien Registration Number
- Medical Notes
Mailing Address
·Phone Numbers (e.g., phone, fax, and cell)
· Email Address
· Education Records
· Race
· National Origin
· Country of birth
· Gender
· Emergency Contact Name
· Emergency Contact Phone
· Dates of Winter Break
- Sponsor Name
· Sponsor E-mail
· Sponsor Telephone
(2) INRO is intended to support students from populations underrepresented in the biomedical
sciences interested in pursuing a research career in allergy, immunology, or infectious diseases.
The information being collected will be used to assess trainees' applications for entrance into the
program.
(3) The information contains PII.
(4) Submission of personal information is mandatory in order to apply for the INRO program.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Students supply information voluntarily as part of the
application process for a internship opportunity at the NIH. PII is collected at the time of
application for the internship. Students are informed of the need and intended use of the PII at
the point of collection, and they are given the choice to opt out by not completing and submitting
the application for an internship.
They are advised that the information collected is to be used strictly for administering the INRO
program.
They may opt out of the submission by not submitting an application.
Notification is made electronically, and in some cases by mail, if changes occur that warrant
notification to enrollees.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Data security in accordance with the HHS,
NIH, and NIAID IT security guidelines, and the guidelines of the Office of Training and Special
Emphasis Programs (OTSEP).
Measures to prevent the unauthorized disclosure of information covered under the Privacy Act
are implemented for each training program administered through the Office of Education.
Authorized Users: Staff in the Office of Education are instructed to disclose information only to
NIH personnel who are involved in the evaluation and selection of candidates for intramural
training programs.
Physical Safeguards: Paper files and disks are stored in cabinets in a locked room that is under
constant surveillance by security personnel. Electronic databases are accessible only with a
password on secure web sites.
Procedural safeguards: Access to the paper files is strictly controlled by the Office of Education
staff. Files may be removed only with the approval of the system manager or other authorized
official(s).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID NIAID Planning
and Reporting System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8504-00-301-092
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Planning and Reporting System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: NIAID Planning and Reporting System (NPARS) is a
web based application that enables NIAID staff to monitor, process, and report on the status of
competing and noncompeting grant applications. NIAID division offices use it internally to track
and manage grant applications processes, such as review, approve, release and award grant
applications. It is segmented into the following modules: NIAID Funding Plan, RFA/PA Award
System, Bridge Awards System, Select Pay Awards System,
Merit Pay System, Merit Extensions, FY Grants Tracking System, GrayZone Comments Select
Pay and Bridge, Request For Administrative Supplement, and GMB Special Actions. The system
also has a number of council reports.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does Not Share
Per SORN (09-25-0036) disclosures may be made to a Federal Agency, The Department, or
another NIH organization according to the guidelines stipulated in the SORN.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: As part of the Institute's
research management business function, this system contains Names, Mailing Addresses, and
Phone numbers of Principal Investigators involved in research funded by the Institute. This
information is voluntarily submitted by principal investigators seeking NIH funding for research.
There is an opt out choice. The information collected is used to manage NIH business functions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Grant applicants are given copies of NIAID's Privacy
Policy during the application process. Consent is obtained upon application. IIF within this
system is not disclosed or utilized outside of the functions of managing the Institute's business.
Individuals are notified of changes in writing per NIAID's Privacy Policy.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative Access Controls: Employees
who maintain records in this system are instructed to grant regular access only to NIH extramural
and advisory committee staff, NIH contract management staff, and Federal acquisition personnel.
One-time and special access by other employees is granted only when specifically authorized by
the System manager.
Technical Controls: Access to the contractor performance files is restricted through the use of
secure socket layer encryption and through an IBM password protection system. Only authorized
government contracting personnel are permitted access. Access is monitored and controlled by
OAMP. Access to source data files is strictly controlled by files staff. Records may be removed
from files only at the request of the System manager or other authorized employee. Access to
computer files is controlled by the use of registered accounts, registered initials, keywords, and
similar limited access systems. NPARS system has been through a full C&A and received an
ATO from NIAID's CIO. The system benefits from double firewall, user authentication, least
access privileges, and controlled access points.
Physical Controls: Physical access to Office of Extramural Research (OER) work areas is
restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP)
work areas is restricted to OAMP employees. Physical access to the Office of Federal Advisory
Committee Policy (OFACP) work areas is restricted to OFACP employees. The system resides
on servers that are in a locked server facility with restricted access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Program
Management Tool (PMT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8508-00-301-092
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Program Management Tool
(PMT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: The Program Management Tool (PMT) is an Intranet,
web-based application that was developed for Program Officers (PO) within the Division of
Microbiology and Infectious Diseases (DMID) of the extramural branch as an aid for organizing
and managing their grants and project applications portfolio. The primary purpose of the
application is to assist POs in performing various administrative tasks associated with portfolio
management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system integrates all
electronic information resources required to perform the activities of portfolio management . It
captures information about the application, awards, and grants. It contains indicators from basic
laboratory science to Phase III clinical trials. It has biodefense program information. This
system does not collect PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system contains no PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NA
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Research Initiative
Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8536-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Scientific Initiative
Management System (SIMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: The Scientific Initiative Management System (SIMS)
is designed to integrate the creation of concepts for initiatives, and the review and approval of
selected concepts for development as Request for Applications (RFA), Request for Proposals
(RFP), Program Announcements (PA), and Contracts. It enables phasing (scheduling) and
tracking of initiatives from approval through completion stages.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system contains Names,
personal email addresses and personal phone numbers. The information is used to support
centralized grant programs of the Public Health Service. Services are provided in the areas of
grant application assignment and referral, initial review, council review, award processing and
grant accounting.
Submittal of this information is voluntary. The applicant has the choice to opt out.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Consent is gained at the point of application. The
Institute's Privacy Policy is included with application materials and includes intended use of the
data by the Institute. An applicant 's consent to the disclosure and use of personal information by
submitting an application. The intended use of the information is disclosed at the application
process. Applicants are notified via electronic means, postal service, or telephone of all changes
that effect their grant or contract status. This includes their file information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized Users: Employees who maintain
records in this system are instructed to grant regular access only to NIH extramural and advisory
committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-
time and special access by other employees is granted on a need-to-know basis as specifically
authorized by the System manager.
Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is
restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP)
work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory
Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the
contractor performance files is restricted through the use of secure socket layer encryption and
through an IBM password protection system. Only authorized government contracting personnel
are permitted access. Access is monitored and controlled by OAMP.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records
may be removed from files only at the request of the System manager or other authorized
employee. Access to computer files is controlled by the use of registered accounts, registered
initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Reviewer Support
Site (RSS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8534-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Reviewer Support Site (RSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: The Scientific Review Program (SRP) conducts
meetings to perform technical evaluation (a.k.a. peer review) of grant applications and contract
proposals. The NIAID Reviewer Support Site (RSS) enhances the communication of
information between meeting coordinators and participants throughout the process.
RSS is a secure, Internet-accessible administrative support system that provides a centralized
repository of documents and information related to review meetings. The system was updated
to provide:
§ Online active forms for collection of pre-review data from reviewers
§ Pre-review reports for meeting staff
§ Electronic review function (assignment tools, collection and management of evaluations, etc.)
§ Improvement to the management, configuration, and presentation of meeting-related files
§ Improvement to the overall user interface
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share it with any other system.
Disclosure may be made to qualified experts not within the definition of Department employees
as prescribed in Department regulations for opinions as a part of the application review process.
A record may be disclosed for a research purpose, when the Department: (A) has determined that
the use or disclosure does not violate legal or policy limitations under which the record was
provided, collected, or obtained.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Very limited IIF is
maintained for user identification and communication, and reporting.
Reviewers:
Full name (from NIHExt or NED)
Academic degrees (required)
Rank or title (required)
Work address (from NIHExt or NED)
Work phone # (from NIHExt or NED)
Work fax #
Home address (required)
Home phone # (required)
Cell phone #
Phone # for teleconference
Email address (from NIHExt or NED)
Alternate contact (e.g., assistant’s name, phone #, email address)
Federal employee status
Other appointments or professional affiliations
Gender
Race/Ethnicity
Used for:
Contact info
Meeting management
Submission in government-mandated reports
Submission of IIF is voluntary. Consent is implicit in the reviewer’s agreement to serve on a peer
review committee.
Meeting Staff:
Full Name (from NED)
Work email address
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information about NIAID staff will be entered by
system administrators or the individuals themselves. Some information about reviewers will be
collected via telephone conversation or hardcopy submission and entered by NIAID staff; the
rest will be entered online by the individuals themselves. Reviewers are instructed by initial
telephone interview that information about them will be used for internal administrative purposes
only and will not be shared. Consent is implicit in a reviewer’s agreement to serve on a peer
review panel.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system resides on a secure server
behind a firewall. Communications between the web browser and system server are encrypted
(TLS). User access is by invitation only, via authenticated user ID and password. Passwords
comply with HHS/NIH policy (expiration, format, etc.). Permissions are governed by the user’s
assigned system-wide and meeting-specific roles. Access to individual meetings (files and other
data) terminates after specified dates. Physical access controls include guards, ID badges, and
key cards.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Scientific
Reporting Suite (SRS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8535-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAID Scientific Reporting Suite (SRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 ,
10. Provide an overview of the system: A series of software support tools for the DEA -
primarily scientific reporting tools regarding research, science, grants management, and data
analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
There is no PII in this system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not collect
or contain any IIF.
It consists of a suite of software support tools for OSPFM. It identifies the scientific codes
employed by NIAID to define the type of research employed on research efforts. Each discipline
and sub-discipline has specific codes which are used to track the work; primarily scientific
reporting tools regarding research,scientific coding, science, grants management, and data
analysis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Visual Status of Funds (VSOF)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joe Croghan
10. Provide an overview of the system: This application is used to monitor, track, query and
report the Institute’s fiscal and budgetary data in order to monitor obligations and expenditures
associated with the current fiscal year.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System does not collect PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting data and related
document information is downloaded from the budget module of the NIH Data Warehouse and is
relevant or specific to NIAID for its fiscal year operations. The system contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - System does not collect PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Vaccine Research
Center Study Manager (VRCSM) [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0012
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Vaccine Research Center Study
Manager (VRCSM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Huyen, Yentram
10. Provide an overview of the system: This is a clinical trial recruitment and scheduling
system for vaccine research. It is used to collect information from individuals who wish to
volunteer to participate as healthy participants in clinical trials.
Legislative authority is: 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR
Subpart 15.3 and Subpart 42.15
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not disclose or share PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The following PII is
collected:
· Name (Mandatory)
· Age and date of birth (Mandatory)
ONE method of contact is mandatory (participants choice of):
· Mailing address or
· Telephone number and alternate phone number or
· Email address
Additional information is collected AFTER volunteer provides verbal consent. People who do
not wish to provide information are not eligible to participate in voluntary studies.
· Generic medical history of healthy volunteers
· History of sexual behavior (if applicable to the trial)
(2) The information is collected to track potential clinical trial volunteers and determine their
suitability for participation in various clinical trials.
(3) The information collected does contain PII.
(4) The submission of personal information is mandatory only if volunteers decide to pursue
enrollment.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals agree to have information collected as part
of clinical trial screening. Major changes are not contemplated for this system, and data is not
shared. The data will never be used for other purposes. Individuals call in and self volunteer for
studies and at that time is when consent is obtained and notification is how information wll be
used is provided.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: User accounts grant access only to those
individuals who have a need to know the information in the performance of their duties. Data is
not available outside of the dedicated group. System is housed in a locked server room with
strict access control kept. Duties are divided to ensure access monitoring. Management review
ensures compliance with procedures.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Vaccine Research
Center Support Suite [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8541-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Vaccine Research Center
Support Suite (VRC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tram Huyen
10. Provide an overview of the system: This is a suite of software applications built for use by
Vaccine Research Center (VRC) research scientists and laboratory staff. These systems include
features for sophisticated data analysis, information storage, retrieval and sharing, and reporting.
The data is scientific in nature and does not have any patient or clinical identifiers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A - This system contains no IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. The information is
collected and maintained for use by scientists, and consists of plasmid maps, laboratory
protocols, and lists of cell lines. It is for internal use only.
2. This information serves as a repository of resources for scientists.
3. There is no PII contained within the system.
4. There is no personal information contained within the system.
No IIF collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is collected or maintained in this
system.
Authorized Users: Employees who maintain records in this system are instructed to grant regular
access only to NIH extramural and advisory committee staff, NIH contract management staff,
and Federal acquisition personnel. Other one-time and special access by other employees is
granted on a need-to-know basis as specifically authorized by the System manager.
Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is
restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP)
work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory
Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the
contractor performance files is restricted through the use of secure socket layer encryption and
through an IBM password protection system. Only authorized government contracting personnel
are permitted access. Access is monitored and controlled by OAMP.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records
may be removed from files only at the request of the system manager or other authorized
employee. Access to computer files is controlled by the use of registered accounts, registered
initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAID
WAN/Internet/Remote Access [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not exist.
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID WAN/Internet/Remote Access -
GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alex Rosenthal
10. Provide an overview of the system: The NIAID WAN provides a platform for all network
functionality. This includes application hosting, network resources, network connectivity to
greater NIH resources, internet access, and file storage capabilities. All information that may be
utilized by NIAID personnel is potentially stored and/or transmitted via the NIAID WAN.
Access to the NIAID WAN is restricted to NIAID facilities; remote access may only be obtained
through systems that traverse NIH and NIAID firewalls. Means of remote access consist of
Citrix and Virtual Private Network.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not share.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This is a GSS system and
does not collect, maintain, or disseminate PII as a separate system. Minor applications residing
on the network each have their own Privacy Impact Assessment which details this information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Each major application which resides on the network
and which also contains PII has its own processes.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII on the network.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Apex Applications
(Apex)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIAMS Oracle Application Express
(APEX)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Janet David
10. Provide an overview of the system: The system displays IMPAC II data based on a
specific query. IMPAC II – Information for Management, Planning Analysis, and Coordination -
is an NIH enterprise application consisting of a series of modules that allow the Extramural
Program community to input, track, analyze, manage, and report grant portfolio data. The data
pulled is: full grant number, grant title, PI Name, PI Organization, PI Email address, PI
Organization address, grant status, Program Class Code, Program Official, budget start date,
budget end date, awarded amount, abstract. The legislation authorizing this activity is 5 U.S.C
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIAMS collects the Name,
Business Address, Business Telephone Number, Business FAX Number, and Business Email
Address for Program Officials, Grants Management Officers, and Grants Management
Specialists, and Scientific Review Officers. In addition to these fields, the Education/Degree
field is captured for the Principal Investigator. Information is used for creating various reports
on grant data. The information is for contact purposes and for Freedom of Information Act
(FOIA) requests. Contact information is gathered from other systems such as IMPAC II, the NIH
global address list, and legacy Administrative Management Budget System (AMBIS) data. The
information is necessary if the persons intend on conducting business with the NIH.
Legislation authority: 5. U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Executive
Order 10561
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) Individuals provide consent for the use of their
information, including when major changes occur to the system, at the time they provide their
information into the database.
(2) The Program Official, Grants Management Officer, Grants Management Specialist, and
Scientific Review Officer are required to provide their names, business addresses, business
telephone numbers, business fax number, and business email address to be posted for their
assigned grants.” Individuals are notified at the point of entry into the system regarding the PII
that is being collected from them and they voluntarily provide consent when entering their data.
(3) Information is used and shared electronically.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the system requires an NIH Login userid and password, The system
is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing
in NIAMS). The servers are secured in a locked, controlled environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Coding System for
Special Emphasis Areas (SEA)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: 0925-0001
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIAMS Coding System for Scientific
Emphasis Areas (SEA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Janet David
10. Provide an overview of the system: In order to respond to the NIH Budget Office requests
and congressional inquiries regarding awarded information in relation to disease reporting areas,
awarded data on grants, research contracts and intramural projects are “coded” by disease or
special emphasis areas (SEA). This system allows the record to be coded and reports generated
to respond to requests. The principal investigator's name and business address are included on
reports for reference. Data is tallied by fiscal year and comparisons made. The purpose of this
system is to code the grant, contract or intramural project to obtain the data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is collected under SOR 09-25-0036. Information is compiled in report format to
respond to queries from Congressional offices, scientific associations and for NIH disease
reporting information. Data is provided to show projects funded to support the numerous NIAMS
disease categories. The data is displayed to show dollars awarded to Institutions/Principal
Investigators broken down by disease categories. IIF data is used to identify and credit the
project to the specific investigator.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority: 5.
U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart
42.15.
The name and address information associated with the grant, contract or project is listed on the
generated reports as a reference. The grant, contract or project is coded for special emphasis
areas (SEA) as it relates to disease reporting. Information is collected to respond to
congressional inquiries and budget office requests. Information is usually aggregated for each
special emphasis area as well as reports listing the specific grant, contract, and project.
Information is mandatory under the parent eRA/NIH system. (NIAMS is not making it
mandatory).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system is an extension of the enterprise system
(eRA/ImpacII) which is authorized to collect data under 0925-0001. If major changes in the
enterprise system ocurred, the notification and consent would be through the enterprise system.
Changes to the forms or systems that collect the data would notify the individuals when they
enter their own data. This system does not collect or use any other data on the individual except
what is available through the enterprise system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the system requires an NIH Login userid and password. The system
is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing
in NIAMS). The servers are secured in a locked, controlled environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Employee
Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIAMS Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ms. Valerie Green
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The type of information collected constitutes PII and includes, but is not limited to the following
data elements: name, date of birth, SSN, race, address, phone numbers, race, etc.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The Information is derived from information supplied
by the individual, which is placed in the HRDB or EHRP, or is provided by Department officials.
Information is initially supplied by the individual to Human Resources, in writing, at the time of
employment. The information is required to process payroll, taxes, benefits, and other actions
and determinations. Consent is provided as part of the initial data collection process, for input
into HRDB/EHRP and NED.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located at One Democracy Plaza, 6701
Democracy Blvd, Suite 704, Bethesda, MD behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Internet Multi-IC
Contract Tracking System (MCTS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: 0990-0115
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Internet Multi-IC Contract Tracking System
(MCTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Janet David
10. Provide an overview of the system: This system is used to monitor and track deliverables
and administrative paperwork on awarded research contracts. System is used to facilitate the
work processes within the contract management office and to provide the data for reports for
internal sources.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is collected under 09-25-0036. Data is for internal purposes to track and manage the
contract paperwork with the office. IIF data is used to identify the principal investigator of the
contract.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority: 5.
U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart
42.15.
Information collected is from the awarded research contract paperwork and is for internal
administration of the contract. A contact person's name and mailing address is included for
reference and to generate correspondence. The contact name & address is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) If major changes in the enterprise system ocurred
(request for contract data), notification and consent would be through the enterprise system.
Changes to the forms or systems that collect the data would notify the individuals when they
enter their own data and apply for a contract. This system does not collect or use any other data
on the individual except what is available through the enterprise system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the system requires an NIH Login userid and password, The system
is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing
in NIAMS). The servers are secured in a locked, controlled environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8812-00-312-165
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIAMS Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Danny Heise
10. Provide an overview of the system: Information Dissemination - NIAMS receives calls
requesting various literature related to the NIAMS mission. In order to send the information, the
caller's name, address and, optionally, their email address and telephone number are captured.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is shared with the NIAMS Clearing House that sends out requested literature.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIAMS collects the caller's
name and address, and optionally their email and telephone number, plus a description of the
information requested. We also collect IP addresses and pages visited in the log.
The data is used to send the requested information to the requestor. The data is shared with a
Clearing House who mails out the information. Once the information (brochure, literature, etc.)
is mailed, the data is deleted.
The requestor would need to furnish their name and address (or email address) in order for the
requested literature to be mailed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) When/if major changes occur to the system that could
affect or change how the individuals information would be shared, each of the existing
individuals would be notified, via mail or email, and requested to consent to the new process. All
new users would be made aware of the change when they supply or enter their information.
Under the Privacy Statement tab located on the web site, the requestor is notified of what
information will be collected and how it will be used.
The requestor's information is deleted after the materials have been mailed. Changes to the
system would not affect the requestor.
The name, address, and optionally an email address and telephone number, are collected from
the individual who requests literature from the NIAMS. Without the name and address, the
literature could not be mailed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the System requires an NIH Login userid and password. The
system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc
residing in NIAMS). The servers are secured in a locked, controlled environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Intranet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8812-00-312-165
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIAMS Intranet Site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Danny Heise
10. Provide an overview of the system: Information dissemination to the NIAMS staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Reference SOR # 09-25-0106
The information is shared internally amongst NIAMS Staff. It is used to complete administrative
processes/functions.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency collects the
individual's name, photo, Lab/Branch/Office address, business phone numbers, and business
email address for administrative processes/functions. The photo is voluntary and the other
information obtained is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) When/if major changes occur to the system that affect
or change how the individuals information will be shared, each of the existing individuals would
be notified, via mail or email, and requested to consent to the new process. All new users will be
made aware of the change when they enter or supply their information.
The Directory information is mandatory and is provided by the Administrative Office. The photo
is voluntary. Staff members must sign a consent form before the photo is taken and placed on the
Intranet. The site contains a privacy notice that states, "This is a U.S. Government Internal
(Intranet) Web site, which may be accessed and used only for authorized Government business
by authorized personnel. Unauthorized access or use of content on this Web site may subject
violators to criminal, civil, and/or administrative action. All information on this site may be
intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official
purposes, including criminal investigations. Such information includes sensitive data encrypted
to comply with confidentiality and privacy requirements. Access or use of this Web site by any
person, whether authorized or unauthorized, constitutes consent to these terms. There is no right
of privacy when accessing this site. Information on this site relates only to work and data related
to NIAMS activities. No information related to non-business activities of personnel will be
collected or presented on this site without the explicit written permission of the personnel
involved."
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. The data is indexed by employee name. Access to this data is limited to those
persons whose official duties require such access.
Physical controls - Access to the Intranet requires an NIH Login userid and password, The
NIAMS Intranet is further restricted to only NIAMS employees and the NIAMS domain
(servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled
environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS NIAMS General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-0200-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAMS Local Area Network (LAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chris Squiers
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable. The system is a GSS and does not
directly collect or store information. The applications/systems residing on the GSS collect and
store information. Therefore, individual PIAs have been prepared and submitted for the
applications/systems residing on this GSS.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable - no PII data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Resource
Management Services Budget (RMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-01-02-8806-00-
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIAMS Resource Management Services
(RMS) Budget System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Janet M. David
10. Provide an overview of the system: Create and maintain budget data for the NIAMS Office
of the Director programs. The legislation authorizing this activity is 5 U.S.C 1302, 2951, 4118,
4308, 4506, 7501, 7511, 7521, and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Reference SOR # 09-90-0018. This information is further addressed in the HHS Privacy Act
Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November
9, 1994.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIAMS collects Employee
Last and First Names with the salary, grade, and step. Information is used for creating the OD
Division budget for each fiscal year.
Data is not matched with any personal identifiers, sensitive data, or Privacy Act data. Data is
required to project and create an accurate budget for FTEs.
This information is collected as backup data to create the salary line item for the NIAMS OD
budget for the fiscal year.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) When/if major changes occur to the system that affect
or change how the individuals information will be shared, each of the existing individuals would
be notified, via mail or email, and requested to consent to the new process. All new users will be
made aware of the change when they are asked to supply information.
The information is provided by Department officials, only Employee Name, Grade, Step, and
Salary information is gathered via biweekly download from the NIAMS Employee Database
Internet Edition (EDie).
It is supplied via data download in a separate Oracle table from EDie.
The information is required, as a condition of employment, to process payroll, taxes, benefits,
and other actions and determinations made about an individual while employed.
Written notice is provided to the subject at the time of employment.
Notification procedures include the immediate supervisors of individuals or the administrative
offices of the organizational units in which employed. HR may also provide further information
concerning the existence of this SOR. Individuals should provide their name, SSN, and
organization in which employed.
The information is used by operating officials in carrying out their management responsibilities.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the system requires an NIH Login userid and password. The
system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc
residing in NIAMS).
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS SF-52 (SF-52)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIAMS SF-52 Tracking
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Janet M. David
10. Provide an overview of the system: The systems is used to create, modify, route, and track
SF-52 (personnel) actions. IIF data collected/used is the employee's name, DOB, SSN, mailing
address, and salary. The information is required, as a condition of employment, to process
payroll, benefits, taxes, and other actions and determinations made about an individual while
employed.
Reference SOR # 09-90-0018.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Reference SOR # 09-90-0018.
The Office of Personnel Management, Merit System Protection Board, Equal Employment
Opportunity
Commission, and the Federal Labor Relations Authority in carrying out their functions.
Appropriate federal, state or local agencies as deemed relevant or necessary to the Department.
Other individuals performing functions for the Department but technically not having the status
of agency employees, if they need access to the records in order to perform their assigned agency
functions. Used by the NIAMS Administrative Officers (AOs) to track SF52 data. Data collected
is required for all SF-52 personnel actions.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The legislation authorizing
this activity is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Exec Order 10561.
NIAMS collects employee name, date of birth, SSN, mailing address and salary. The data is
needed to create SF-52 actions. Human Resources uses the SF-52 actions to input information
into EHRP. Required statistical reports to upper management and higher headquarters are
generated from this information. Data collection is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) When/if major changes occur to the system that affect
or change how the individuals information will be shared, each of the existing individuals would
be notified, via mail or email, and requested to consent to the new process. All new users will be
made aware of the change when they supply their information.
(a) The information comes from the individual to whom it applies, is derived from information
supplied by the individual, or is provided by Department officials. (b) It is initially supplied by
the individual to HR in writing at the time of employment. (c) The information is required, as a
condition of employment, to process payroll, taxes, benefits, and other actions and
determinations made about an individual while employed.
(d) Written notice is provided to the subject at the time of employment. (e) Notification
procedures include the immediate supervisors of individuals or the administrative offices of the
organizational units in which employed. HR may also provide further information concerning
the existence of this SOR. Individuals should provide their name, SSN, and organization in
which employed. The information is used by operating officials in carrying out their personnel
management responsibilities.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Admin Controls - The information is
maintained on-line by the system and may be accessed and printed by those authorized access to
the information. Access to this data is limited to those persons whose official duties require such
access.
Physical controls - Access to the system requires an NIH Login userid and password. The system
is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing
in NIAMS).
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD (was 09-25-01-01-02-3198-00-402-125 for
predecessor, VSOF)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Valerie Green
10. Provide an overview of the system: SoFiE is the Institute's budget reporting system used to
track costs and generate status reports. It is a multi-user integrated database of financial
transactions from the NIH Central Accounting System used by multiple NIH Institutes and
centers to monitor the financial status of programs they support.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting data and related
document information is downloaded from Accounting and is relevant or specific to NIAMS for
its fiscal year operations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable. No PII is collected, shared, or
disclosed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable as no PII is collected, shared,
or disclosed. Controls are in place for the system.
Admin Controls - The information is maintained on-line by the system and may be accessed and
printed by those authorized access to the information. Access to this data is limited to those
persons whose official duties require such access.
Physical controls - Access to the system requires an NIH Login userid and password. The system
is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing
in NIAMS). The servers are secured in a locked, controlled environment.
Technical controls - The NIAMS ISSO and Server Team monitor and control access to all
NIAMS machines, including the Intranet server using system monitoring and intrusion detection
tools.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Lillian Cosme, 301-496-8296
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Employee Database
Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIBIB Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Truc Le
10. Provide an overview of the system: EDie is an Intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The type of information collected constitutes PII and includes, but is not limited to the following
data elements: name, home address, home phone number, social security number and date of
birth. The PII collected is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located on a server in a secure server room behind
the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kai Kamerow
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-00-0000-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIBIB Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Todd Merchak
10. Provide an overview of the system: The NIBIB Internet Website provides mission-related
information to multiple constituencies that include other federal agency staff, extramural
researchers, health professionals, educators, students, and professionals.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The The NIBIB Internet Website does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIBIB Internet Website
collects usage data for metrics purposes only. Data collected do not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIBIB Internet Website is in compliance with
federal law and NIH web policies. The NIBIB Internet Website does not collect personal data.
The privacy notification statement and disclaimers are used and visible from every page,
including web pages directed to children. The NIBIB Internet Website does not use persistent
cookies.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The NIBIB Internet Website does not
collect information in identifiable form.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kai Kamerow
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB NIBIB General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/29/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-04-00-0000-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIBIB General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lawrence Morton
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NIBIB GSS does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kai Kamerow
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Status of Funds
Internet Edition (SOFIE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/29/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: In development
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jeff Kaloz
10. Provide an overview of the system: SOFie is a web database application that allows
Institutes to track expenses and the balance of accounts.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The SOFie system gathers
financial data together from NIH systems in order to view and manipulate financial information
for the ICs needs. The system does not include any personal information or information in
identifiable form.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: SOFie is password protected. Individuals
only view accounts pertinent to their area.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kai Kamerow
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Certification of
Confidentiality [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not applicable.
6. Other Identifying Number(s): Not applicable.
7. System Name (Align with system Item name): NICHD Extramural Clinical Certificate of
Confidentiality System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The NICHD Extramural Clinical Certificate of
Confidentiality System enables investigators who are conducting research in line with NICHD’s
mission to apply for a Certificate of Confidentiality from the NICHD and supports the internal
processes for finalizing and issuing the Certificate.
The system automates the cumbersome paper-based process of applying for and issuing
certificates by providing a public web interface for users to request a certificate and a staff-side
module used by staff in the Clinical Director’s office to track and modify the submission and
generate the official document for signature.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NICHD will collect the
name, email address, mailing address, and phone number of individuals applying for applications
for NICHD Extramural Certificates of Confidentiality. The information will contain PII and
submission of personal information is voluntary, but necessary if the applicant chooses to apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) If a major change were to occur to the information
system, individuals would be notified via telephone calls regarding any potential changes to their
PII. At that time, they would be able to provide consent acknowledging the change. Individuals
are notified of the information that is being collected from them, and consent is obtained twice:
(1) via a pop-up notification where they agree t to certain statement regarding their study before
the individual is able to access the application and (2) when they submit their information for the
certificate of confidentiality. The first portion of the application indicates how the information
the individual(s) submit will be used.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to and use of these records is limited
to those persons whose official duties require such access. Secured via sign-on and
authentication methods. Administrative controls include system security plan, contingency plan,
files backed-up and stored off site, user training, and least privilege accesses. Technical access
controls include user identification, password, firewall, VPN, encryption, intrusion detection
system, common access cards, and public key infrastructure. Physical access controls include
guards, identification badges, key cards, cipher locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Child Health
Information Retrieval Program [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4401-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NICHD-0002
7. System Name (Align with system Item name): Child Health Information Retrieval Program
(CHIRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aubrey Callwood
10. Provide an overview of the system: The Child Health Information Retrieval Program
(CHIRP) provides support for grant application and award processing, tracking, scientific coding
and report retrieval for the NICHD Extramural program
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No Information in
Identifiable Form (IIF) is collected or stored. CHIRP Pull grants and Contract Related data from
IMPACII. The Referral and Program Analysis Branch (RPAB) of NICHD’s Office of Scientific
Policy, Analysis, and Communication (OSPAC) assigns each project funding application to the
appropriate NICHD branch for review. Once funding has been approved, RPAB then applies
extensive scientific coding to the grant record based on the areas of research involved.
Throughout the pre- and post-funding process, RPAB maintains summary information about
each project for reporting purposes. All project records are then given pre-funding preliminary
coding and post-funding scientific coding for detailed and accurate classification. Based on all
available project data, highly-flexible querying options allow users to generate various standard
and customized reports as necessary for interested internal and external entities.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Clinical Trails
Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 3/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Paperwork Reduction Act notice has
been submitted for OMB approval. This will be updated once that information is obtained.
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Clinical Trials Database
(CTDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aubrey Callwood
10. Provide an overview of the system: The CTDB is a web-based application that supports
the NICHD Clinical Trials Program. The NICHD Clinical Trials Program consists of
approximately 50 medical investigators and research staff (e.g., nurses, residents). The system
supports clinical trial data collection. The Clinical Trials Survey System portion of the CTDB
allows individuals participating in clinical trials to fill out questionnaires online. The goal of this
application is to provide a user-friendly electronic data collection solution for clinical research.
This makes the process of conducting clinical trials easier and more efficient for participants, as
well as researchers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The information the
agency will collect includes name, date of birth, mailing address, phone number, medical notes,
medical records numbers, and e-mail addresses.
2) The information is collected for the purposes of participating in the study.
3) The type of information collected does contain PII and submission of information is
mandatory in order to participate.
4) The submission of personal information is voluntary but mandatory in order to participate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) The process in place to notify and obtain consent
from the individuals whose PII is in the system when a major change occurs to the system is via
e-mail notifications to the users and through broadcast lists. All data collected is obtained via
Institutional Review Board (IRB) approved protocol.
2) Consent to collect and use the PII from the participants is obtained through the patient consent
form.
3) The participants are also notified as to how that information will be used or shared during the
time they sign the patient consent form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to and use of these records is limited
to those persons whose official duties require such access. Secured via sign-on and
authentication methods. Administrative controls include system security plan, contingency plan,
files backed-up and stored off site, user training, and least privilege accesses. Technical access
controls include user identification, password, firewall, VPN, encryption, intrusion detection
system, common access cards, and public key infrastructure. Physical access controls include
guards, identification badges, key cards, cipher locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Contracts Module
(CM)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): Not applicable.
7. System Name (Align with system Item name): NICHD Contracts Module (CM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The NICHD Contracts Module is a web-based system
designed to allow NICHD staff with contracts responsibilities to more efficiently monitor the
contracts budget, as well as provide a high level budget view for discussions with NICHD senior
management. The system will be designed to capture contracts financial data at key points in the
business process from the relevant NICHD and NIH financial systems and link the data together.
The system is initially intended for use by the Finance and Contracts branches, with future
extension to Program staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The system does not
collect PII information. Specifically, the system stores information about each contract for
which NICHD is providing funding (contractor name, contract title, and dollar amounts).
2) The system is designed to capture contracts financial data at key points in the business
process from the relavant NICHD and NIH financial systems and link the data together in order
to more efficiently monitor the contracts budget.
3) The system does not collect or store PII information.
4) User do not submit any personal information to the system. The system does not collect data
or PII from users.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Council Member
Website [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): Council Member Website (CMW)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aubrey Callwood
10. Provide an overview of the system: CMW provides NICHD Advisory Council members
with online access to a variety of Council-related information, both for the current council and an
archive of data from prior councils. The site also provides Council members with the ability to
review and vote on individual applications as well as an En Bloc review which would allow the
Council to fulfill their business function without physically meeting at National Institute of
Health (NIH).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The system does not
collect or store PII information. The system provides NICHD advisory council members with
online access to a variety of Council related information. Current council and archive data from
prior council is available on the site.
2) The information available on the Council Member Website is used by NICHD staff to
access general council information.
3) The system does not collect or store PII information.
4) Not Applicable – Users do not submit PII information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Diversity
Development Database (3D)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NICHD Diversity Development Database
(3D)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The Diversity Development Database (3-D) system is
a web-based application providing a central mechanism for collecting and reporting on data for
programs within the Division of Special Populations (DSP). It allows program participants (e.g.,
Principal Investigators, Mentors, and Scholars) to more easily meet their program’s funding and
assessment requirements by providing a centralized location where they can submit relevant data
on their progress and achievements at any time. It also aids NIH staff in their duty to evaluate
training programs at grantee institutions by increasing data uniformity, decreasing data
duplication, and enabling up-to-the-minute reporting, allowing them to see a program’s or
individual’s progress at any given time in history.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) 3D maintains business
information on individuals requesting grants from NIH (this includes: Name, Personal Mailing
Address, Personal Phone Numbers, Personal Email Address, and Educational Information). The
name of the individual is requested along with education information such as the school and
degree earned (no formal transcripts are requested) as well as the individual’s military history
(such as their position and dates in that position), but no formal request is made to the military to
obtain this information. The information is also used for the purpose of monitoring progress in
one of the diversity related programs.
2) The information is used to contact individuals requesting grants from NIH
3) The system does contain PII
4) THe information submission is voluntary, but necessary in order to participate
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) If a major change were to occur to the system,
individuals would be notified via e-mail. Individuals are notified, and consent is obtained,
regarding what PII is being collected from them at the time of information collection. During
that time, they are also notified how that information is going to be used. At that point, they can
determine whether they will participate.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to and use of these records is limited
to those persons whose official duties require such access. Secured via sign-on and
authentication methods. Administrative controls include system security plan, contingency plan,
files backed-up and stored off site, user training, and least privilege accesses. Technical access
controls include user identification, password, firewall, VPN, encryption, intrusion detection
system, common access cards, and public key infrastructure. Physical access controls include
guards, identification badges, key cards, cipher locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Division of
Intramural Research Website [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 3/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable. This system does not collect personally
identifiable information.
5. OMB Information Collection Approval Number: Not applicable. This system does not
collect personally identifiable information.
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): Division of Intramural Research Public
Website (DIRWeb)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chandan Sastry
10. Provide an overview of the system: The Division of Intramural Research (DIR) attempts to
understand and harness the science and technologies which will allow prediction, at or before
birth, of diseases to which humans are susceptible, to identify genetic, prenatal (fetal
antecedents) and environmental factors that influence expression so that interventions can be
developed that will prevent or modify each expression. The DIR studies the biology of
development, and examines events from conception through senescence at the molecular,
physical/chemical, genetic, and behavioral level in cells, tissues/organs and organisms. The DIR
attempts to understand the biological processes of normal and pathological development in
human beings. The DIR website delivers research capabilities for the ten programs which make
up the DIR: cell biophysics and chemistry, cell regulation and metabolism, and cell metabolism
and biology; genomics of differentiation, developmental endocrinology and genetics,
developmental immunology; reproductive sciences and medicine, perinatology; and
developmental neuroscience.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) DirWeb contains
information which attempts to understand and harness the science and technologies which allows
prediction, at or before birth, of disease to which humans are susceptible, to identify genetic,
prenatal (fetal antecedents) and environmental factors that influence expression so that
interventions can be developed that will prevent or modify each expression
2) The DIR studies the biology of development, and examines events from conception through
senescence at the molecular, physical/chemical, genetic, and behavioral level in cells,
tissues/organs and organisms.
3) The system does not contain PII
4) Not Applicable
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect PII, however
there are controls in place on the system including the following: administrative controls include
a system security plan, a contingency plan, the backing up of files and storing them offsite, as
well as methods in place to ensure least privilege access; technical controls include user
identification, passwords, firewall, and an intrusion detection system; and physical access
controls include identification badges, key cards, and cipher locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Employee
Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Employee Database, Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aubrey Callwood
10. Provide an overview of the system: EDie is a web-based application that allows Institutes
to accurately maintain individual employee, contractor, fellow, guest, and volunteer information,
as well as plan for, monitor, and report on workforce staffing levels. To minimize duplicate data
entry, the standard business systems from which EDie currently downloads are the NIH Human
Resources Database (HRDB), the Fellowship Payment System (FPS), the NIH Enterprise
Directory (NED), and FSA Atlas. HRDB is EDie’s source for information about general hire
employees, including General Schedule, General Wage, Commissioned Officers, and others.
The official data that is stored in HRDB, including payroll information, is available for each
employee and can be viewed by those users with corresponding access privileges. FPS is the
source for information about visiting fellows, including their stipend and sponsorship
information. NED is the source for information about contractors and other special volunteers.
Because these are not direct hire employees, there is no payroll or FTE information available for
these employees. EDie also pulls in locator information from NED for every employee that is
stored in EDie and who has a corresponding NED ID. FSA Atlas is the source for Visa
information. EDie provides an efficient and effective way to manage and report on the
workforce of the Institute/Center (IC). It provides the ability to track and report on planning
records. It allows users to update staff information for future actions while also having the
ability to view the official source information, staffing summary and trend information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared with other
entities. Refer to SORN 09-90-0018
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) EDie tracks all
information pertinent to a personnel file for the purpose of personnel management activities.
Information is collected from employees via the Human Resources Database (HRDB) system,
Fellowship Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory
(NED).
2) Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are
done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE
ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing
reports requested by the NIH Director, the IC Director, and other management staff, as
requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring
appointments.
3) The type of information collected constitutes PII and includes the following: name, address,
phone number, social security number and date of birth, and;
4) is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Changes to the HRDB or a change in the way
information is used is relayed to employees via official notices from the NIH Office of Human
Resources (OHR). Individuals are notified of the collection and use of the data as part of the
hiring process. This is a mandatory requirement of potential job applicants seeking employment
at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Records are maintained on-line by the
system and may be printed by authorized requesters. Access to and use of these records is limited
to those persons whose official duties require such access. Secured via sign-on and
authentication methods. Administrative controls include system security plan, contingency plan,
files backed-up and stored off site, user training, and least privilege accesses. Technical access
controls include user identification, password, firewall, VPN, encryption, intrusion detection
system, common access cards, and public key infrastructure. Physical access controls include
guards, identification badges, key cards, cipher locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Insider 2 [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): Insider Intranet 2 (Insider2)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Aubrey Callwood
10. Provide an overview of the system: The Insider provides an Intranet for NICHD Staff to
use to view general administrative information online. In addition, program and extramural staff
have access to several applications that allow them to submit recommendations for grants
funding, reporting, and document tracking
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The system does not
collect or store PII information. The system provides general administrative information to staff.
The system allows extramural staff to submit non PII information such as recommendation for
grants funding, reporting and document tracking.
2) The information available on the Insider Intranet site is used by the NICHD staff to access
general administrative information.
3) The system does not collect or store PII information.
4) Not Applicable - Users do not submit PII information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect PII, however
there are controls in place on the system including the following: administrative controls include
a system security plan, a contingency plan, the backing up of files and storing them offsite, as
well as methods in place to ensure least privilege access; technical controls include user
identification, passwords, firewall, and an intrusion detection system; and physical access
controls include identification badges, key cards, and cipher locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Manuscript
Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 3/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable. System does not retrieve information by a
personal identifier, and is not subject to the Privacy Act.
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Manuscript Tracking System (Mtrac)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chandan Sastry
10. Provide an overview of the system: Researchers routinely publish papers as part of their
research. To ensure the highest quality of the publications the Division of Intramural Research at
the NICHD established an approval process through which all publications have to go.
The approval process usually follows a bottom-up pattern, by which the manuscript that has been
submitted gets successively routed to a direct report. However, there are exceptions to this rule
and generally a manuscript can be routed to any person participating in the approval/review
process. A person with approval permissions can approve the manuscript for publication. The
publication marks the last step in the internal reviewing process.
Mtrac is used to select reviewers and move papers through the peer review process as quickly as
possible without compromising accuracy. The Mtrac system will automate a process which is
currently being done entirely on paper. It will save a tremendous amount of time and avoid
human errors that occur by performing mundane work. In addition the system will enable people
to participate in the process that have not been able to participant in the paper model.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose information with any other system or agency.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The Mtrac system will
collect name, phone number, and e-mail addresses.
2) The purpose for using this information is to incorporate it into a data base which automates
the approval process through which all publications have to undergo. The automated system will
save a tremendous amount of time and avoid human errors that occur by performing mundane
work.
3) The information collected does include PII, and;
4) Submission of information is voluntary based on whether an individual would like to submit a
manuscript for review.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals are notified via e-mail for when a major
change occurs to the system. Individuals are notified as to the type of PII that is being collected
from them during training, and they provide verbal consent when they choose to sign up for the
system. Individuals are also told the system purposes to include: their information being updated
in PUBMED, and to keep an account of their activities in publishing.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include a C&A, a
system security plan, a contingency place, storing of files offsite, user manuals, and least
privilege access. Technical controls include user identification, passwords, firewall, virtual
privacy network (VPN), encryption, and intrusion detection system (IDS). Physical controls
include guards, identification badges, key cards, and cipher locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Menkes Disease
and Occipital Horn Syndrome International Registry [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A There are no Other Identifying Numbers the Agency
uses.
7. System Name (Align with system Item name): NIH NICHD Menkes Disease and Occipital
Horn Syndrome International Registry
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: Menkes allow doctors around the world to seek
referrals for patients with Menkes or Occipital Horn syndromes via a public website. Dr.
Stephen Kaler is the leading expert on these diseases and is not only the sole source for treatment
referrals, but is also the only person who can confirm that the patient has these diseases. This
website allow doctors to enter in basic patient personal information as well as data about their
symptoms to allow Dr. Kaler to provide referrals for treatment. The registry also allows follow-
up information to be posted. Currently, this data is sent to Dr. Kaler via telephone, email, or fax.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is only shared between Dr. Stephen Kaler and his assistant Maryellen Rechen.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) Information is sent to Dr.
Kaler regarding patients symptoms (this includes: Name, Date of Birth, Personal Mailing
Address, Personal Phone Number, Medical Noters, and Personal Email Address)
2) The information is sent in order for Dr. Kaler to fully assess the patients symptoms and make
approprirate for treatment of the specified disease
3) Yes the information contains PII
4) The submission is voluntary because the patients and doctors enter the information themselves
in the website
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information is entered voluntarily, and therefore
consent is given by the patients when the information is entered.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include a system
security plan, a contingency plan, backing up files and storing them offsite, user manuals, and
least privilege access. Technical controls include user identification, passwords, firewall, virtual
privacy network (VPN), encryption, and an intrusion detection system (IDS). Physical controls
include guards, identification badges, key cards, and cipher locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD NICHD General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not applicable. System does not retrieve PII by one or more
personal identifiers.
5. OMB Information Collection Approval Number: Not applicable.
6. Other Identifying Number(s): Not applicable. System does not retrieve PII by one or more
personal identifiers.
7. System Name (Align with system Item name): NICHD General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The NICHD GSS is managed out if the NICHD
Information Resources Management Branch (IRMB) office. The size of the NICHD GSS is
equated to the size of networks found in mid-size corporations. The NICHD GSS is used for
internal administrative and scientific purposes, as well as to provide services to the general
external public. Additionally, specific extranet projects are supported via NICHD GSS as well.
Systems within this GSS include: nichddirsfs1.nichd.nih.gov, nichddirsfs2.nichd.nih.gov,
nichdzfish3.nichd.nih.gov, searchdir.nichd.nih.gov, nichdvm10, nichdvm11, nichdvm12,
nichdvm13, nichdvm18, nichdvm19, nichdvm20, nichdvm21, nichdmic.nichd.nih.gov ,
nichdmica.nichd.nih.gov, nichd32t21.nichd.nih.gov (attached to a electron microscope),
nichdsws.nichd.nih.gov, zfish.nichd.nih.gov, stbb-lr.nichd.nih.gov, tango.nichd.nih.gov,
zfish2.nichd.nih.gov, rafisher.nichd.nih.gov, stbbrock.nichd.nih.gov, nichddevdb.nichd.nih.gov,
nichddbprod.nichd.nih.gov, nichdctdbproddb.nichd.hih.gov, nichd-ccdb.nichd.nih.gov,
trypsin.nichd.nih.gov, nichdapptest1.nichd.nih.gov, nichdappdev1.nichd.nih.gov,
nichdappprod1.nichd.nih.gov, nichdappprod2.nichd.nih.gov, nichd-ctdbapps.nichd.nih.gov,
nichddirdevdb.nichd.nih.gov, nichd-rs.nichd.nih.gov, metis.nichd.nih.gov,
nichdexp.nichd.nih.gov, nichdctdbldap, nichddesprdev1, nichdapps1, nichd6prts,
nichdrock1apps, nichdtripmon, nichdtissuebank, ceres, nichd-webtest, nichdinsidrtst,
nichdchirptrain, nichdsp01, nichdsp02, nichdclsql01, nichdclsql02, nichdnmsql01, nichdwsus,
nichdmrsd, nichdintnettest, nichdorstest, nichdorptest,nichdmrsdtest, nichdbizobj02,
nichdbizobj01, nichdbackup03, nichdextrtst, nichdreport01, nichdmssql02, nichdmsmom,
nichdinsightmgr, nichdshareptest, nichdtwtst, nichdtw01, nichdorp, nichdors, nichdpatchscan01,
nichdmssql01, nichdmssql03, nichdora1, nichdora2, nichdora3, nichdora4, nichdora5, nichdora6,
nichdoramgr, nichdnascan1, nichdnascan2, nichdnascan3, nichdstorage2, nichd49dc1,
nichdchirp, nichdextranet1, nichd6100dc1 ,nichdtermsrv1, nichd6100e, nichdvm08, nichdvm02,
nichdsharepoint, nichdpoolesvlle, nichdoramgrts, nichdreport, nichdvm09, nichd6100fs1,
nichdinsider, nichdcc1, nichdcc3, nichd9fs1, nichd31fs1, nichd6fs1, nichd49fs1, nichdrockfs1,
nichd18-32fs1, nichdvm01, nichdvm06, nichdvm07, nichdbackup01, nichdbackup02, nichdrds,
nichd31dc, nichdnav, nichdsav, nichdoramgrp, nichdoramgrt, nichdora7, nichdora8, nichdapps2,
eroom, and HPBL01C700.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: As the NICHD GSS is the
principle component for administrative, scientific, and business data, individual applications may
have specific configurations and/or data storage requirements and classifications beyond the
scope of this document. Such applications are individually documented by their respective
owners. NICHD GSS management personnel continue to provide the platform support,
administration, backup, etc., for the systems comprising such applications. This system does not
collect, maintain or disseminate PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) As the NICHD GSS is the principle component for
administrative, scientific, and business data, individual applications may have specific
configurations and/or data storage requirements and classifications beyond the scope of this
document. Such applications are individually documented by their respective owners. NICHD
GSS management personnel continue to provide the platform support, administration, backup,
etc., for the systems comprising such applications. This system does not collect, maintain or
disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include system
security plan, contingency plan, files backed-up and stored off site, user training, and least
privilege accesses. Technical access controls include user identification, password, firewall,
VPN, encryption, intrusion detection system, common access cards, and public key
infrastructure. Physical access controls include guards, identification badges, key cards, cipher
locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Operational
Planning and Scientific Initiatives System of Tracking (OP-ASIST)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Operational Planning and
Scientific Initiative System of Tracking
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Li Huang
10. Provide an overview of the system: OP-ASIST is an automated, web-based tool that
supports the Eunice Kennedy Shriver- National Institute of Child Health and Human
Development (NICHD) research initiative user community. OP-ASIST provides NICHD with
the ability to manage the planning process for grant and contract related scientific initiatives. It
facilitates tracking the progress of all scientific initiatives from initial concept development
through grant and contract approval.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The information
collected, maintained, and disseminated are proposed contract and grant information including
the organizations, the background and scope of contract, peer reviews of the initiative, financial
information (who’s providing funding, how much, and mechanism), decisions that are made
throughout approval process, and the audit of all changes that any user makes
2) Information is collected to provide NICHD with a mechanism to plan future contracts and
grants
3) The system does not contain PII
4) Not applicable, there is no submission of personal information by users
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable. System will not collect, maintain, or
disseminate any PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Reproductive
Tissue Sample Repository [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Reproductive Tissue Sample
Repository (RTSaR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The RTSaR is a centralized, Web-based system that
may be used to track and retrieve information about tissue availability. RTSaR may be used by
the tissue banks to enter and maintain current data regarding the availability of tissue samples at
their facility to query, the availability of tissue, and to order tissue samples on-line.
RTSaR has been implemented using Java, JSP, HTML, and XML technologies. Data persistence
is achieved using an Oracle database. Secure Socket Layer (SSL) has also been put in place to
provide security of data being sent across the Internet.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The system holds basic
information about Tissue in various repository (size, date, generic statistic about source of
tissue). Users that have access to (name, institution, email address, and grant users are funded
through). The information collected is includes information about users that are outside the
Federal Government.
2) The information is used for scientist to request a sample tissue to perform an NIH funded
research. The user information (name, email address, and phone number) is kept so that access
information can be granted to users by the system admins.
3) The system does contain PII
4) If users need access to the system, they must submit their name, email address, and phone
number. Therefore the submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information is entered voluntarily, and therefore
consent is given by the users when the information is entered.
1) An email may be sent out to all users to let them know of change.
2) The information is entered voluntary by users. The users provide their name, email address,
and phone numbers in order to gain access to the system.
3) The user information (name, email address, and phone number) is used to contact users,
specifically when system admins need to verify their user information (name, email address, and
phone number)
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Records are maintained on-line by the
system and may be printed by authorized requesters. Access to and use of these records is limited
to those persons whose official duties require such access. Secured via sign-on and
authentication methods. Administrative controls include system security plan, contingency plan,
files backed-up and stored off site, user training, and least privilege accesses. Technical access
controls include user identification, password, firewall, VPN, encryption, intrusion detection
system, common access cards, and public key infrastructure. Physical access controls include
guards, identification badges, key cards, cipher locks, and closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Sponsored
Dashboards (NSD)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Sponsored Dashboards (NSD)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: The NICHD Dashboard tool was designed to enhance
the decision-making efficiency of NICHD senior management by providing simplified, timely
access to required information through a set of key performance indicators. Analogous to the
way information is displayed on a vehicle dashboard; the Dashboard was intended to allow users
to quickly analyze performance across multiple “gauges”. These “gauges” or measures are
grouped in categories of interest to NICHD senior management: Extramural, Intramural,
Financial, Human Capital and Administration.
The project was originally spearheaded by the prior Executive Officer. The project was intended
to be released to Center Directors to allow them to view their portion of the financial budget,
their grants portfolio and contracts portfolio. While several of these measures were completed,
changes to the financial structure and systems at NICHD and NIH have occurred so several
measures have been removed from the system.
NICHD Sponsored Dashboards (NSD) consists of the NIH Dashboard, NCI Dashboard, the
NICHD Dashboard and Telework Application and Review System (Telework) applications.
NSD is an internal application and is accessible to NIH users via the NIH Intranet only. The
dashboards are designed for senior managers and executives and the dashboard information is
read only from the source, Human Resources Database (HRDB).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The NSD contains
Extramural, Intramural, Financial, and Administration Information
2) The information is used to enhance the decision-making efficiency of NICHD senior
management by providing simplified, timely access to required information through a set of key
performance indicators
3) The system does not contain PII
4) Not Applicable
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system does not collect PII, however
there are controls in place on the system including the following: administrative controls include
a system security plan, a contingency plan, the backing up of files and storing them offsite, as
well as methods in place to ensure least privilege access; technical controls include user
identification, passwords, firewall, and an intrusion detection system; and physical access
controls include identification badges, key cards, and cipher locks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Status of Funds
Internet Edition
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 3/8/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NICHD Status of Funds, Internet
Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rodney Rivera
10. Provide an overview of the system: SOFie is a reporting tool that allows NICHD to
manipulate and report on financial transactions and general accounting information downloaded
from the NIH Central Accounting System (CAS). It tracks budget allocations, open
commitments, obligations, invoicing and payments. Transactions are passed through other
systems and then downloaded, or linked into the shared data system called nVision Data
Warehouse, where it is then uploaded into SOFie and exported to Excel. Downloads are
processed on a daily basis, generally in the evening hours to ensure all allocation entries and
adjustments are captured in real time. The daily downloads allow administrative and
management staff to accurately report on the budgets established within the NICHD office,
laboratory, section or branch. Financial transaction details are charged to a Common Accounting
Number (CAN) which is part of a hierarchical accounting structure termed the Management
Account Structure (MAS). The MAS groups CANs into summary levels which include the
appropriation source, allotment number, budget activity, allowance name, cost center and CAN.
The CAN is tied to a Project Number, categorized by Object Class Code (OC), and summarized
and itemized by individual Document Numbers assigned for reference purposes. Additional
manipulation is possible to track expenses by month or fiscal year, by data range, and through
several stages of the acquisition process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) Fiscal year operational
information and general accounting data is downloaded from the NIH Central Accounting
System (CAS) into a commercial, off-the-shelf (COTS) software product purchased by NICHD
and exported to Excel. The financial information is specific to NICHD and is organized by
category (Ex. salary, benefit, award, appropriation, central services, etc.).
2) It can be sorted by organizational code, object class code, date or amount of a commitment,
expenditure, or obligation, etc.
3) The system contains no personally identifiable information (PII) on any individual.
4) Not Applicable
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Aubrey Callwood
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA BIS Inventory and
Change Control System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIHNIDA BIS Inventory and Change
Control System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pei-Li Chao
10. Provide an overview of the system: This information system contains two parts. One is for
system inventory tracking; the other is for change control tracking. The information system is an
in-house application built for BIS to record server configurations along with the changes made to
each server and to document the approving process before the actual change is done to the
servers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1)The system collects
server configurations, server function, and change control information on servers maintained by
the BIS. It is used by the IT department for server tracking. It does not contain contact data.
(2) the information is used for maintaining NIDA IRP Servers.
(3) It does not contain PII.
(4) Not applicable. This system does not ask for submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Criminal Justice
Drug Abuse Treatment Studies (CJDATS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: n/a
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH NIDA Criminal Justice Drug Abuse
Treatment Studies
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sarah Duffy
10. Provide an overview of the system: The system supports the CJDATS Research
Collaborative, which conducts multi-center and multi-site implementation research to improve
assessment and treatment of drug involved offenders. The studies are themselves currently under
development. The system will facilitate aggregation of data collected across multiple sites by
grantees; dissemination of non-identifiable data, and general dissemination of public CJDATS
information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system will be used to
merge, aggregate, and standardize research data collected at multiple site by grantees. The
studies are currently under development.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The studies are currently under development. Once
designed, they will be submitted to all relevant IRBs, including consent procedures and forms.
Information will be used for research purposes only.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no PII in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark R. Green, 301.435.1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/26/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Drug Inventory
Supply and Control System (DISCS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Unknown
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0210
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIDA3
7. System Name (Align with system Item name): Drug Inventory Supply and Control System
(DISCS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita LoMonico
10. Provide an overview of the system: This system accounts for research grade drugs made
available for distribution for research and analytical purposes. Materials are provided on request
from persons authorized by the DEA (Drug Enforcement Administration) and following
procedures specified by that agency. This system maintains (1) records of quantities in inventory
by DEA classification and locally assigned catalog information, (2) records of all distributions of
quantities of materials by inventory account, order number and requesting individual. If
shipment is to a secondary address because of DEA registration or radiation safety requirements,
that information is also maintained.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System does not collect, store or share PII as defined by NIH
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Types of information
contained in the records are: researchers name, DEA (Drug Enforcement Administration)
registration numbers, business address (location of research project), telephone number and e-
mail address, requests for substance(s), name and amount of each compound requested and
shipped, date material is shipped and received, shipment numbers, and DEA order form
numbers. Data collected are the minimum necessary to satisfy DEA record requirements, to
allow contact with requestor and, finally, to ship materials to requestor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are no procedures to notify users of changes in
use of IIF collected. This system serves the single purpose of accounting for drugs distributed
primarily for research and analytical purposes and providing the distributor with contact and
shipping address information to comply with requests for materials from NIDA supplies.
Additional information is collected for the sole purpose of accounting for the drug materials in
accordance with law and regulations pertaining.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized users only. The "hard copy"
records arephysically located at the Neuroscience Center, Bethesda, Maryland, the main server is
physically located at 6116 Executive Blvd, Rockville, MD.. The computerized records are kept
in a room with controlled access. The room is locked at all times. The "hard copy" records are
stored in locked file cabinets in a room with controlled access. This room is locked when not
occupied. The Neuroscience Center has a 24-hour guard patrol service. The terminals are
housed in a secured work area with limited admittance. Contract personnel use a password
identification system to obtain access and encrypted connections to ensure data security.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, 301-435-1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Employee Database
Internet Edition (EDiE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-9318-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDA Employee Database Internet
Edition (EDiE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pei-Li Chao
10. Provide an overview of the system: The Employee Database Internet Edition system (a.k.a.
EDie) provides an efficient method for data gathering, tracking and analysis, and reporting to
allow for basic workforce planning in the areas of:
- FTE and cost projections
- FTE Personnel Actions (including renewals of appointments and visas)
- Employee Ratings
- Employee Awards
- FTE Personnel training data
- FTE Census Data
- FTE Education Level and Degree type
- FTE “Tickler” – Alerts for WIGIs, promotions, visa renewals, retention bonus, etc.
- FTE Employment dates (EOD, NTE, Termination, etc.)
- FTE Salary History (mostly T5 & T42 employees, but can also be useful for awards)
In general it is a consolidated or one stop place for employee information (FTEs, Non-FTEs, and
Contractors)
The authority for maintenance of the system is: 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501,
7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior federal government administrative staff and their
delegates, for the purpose of performing their personnel management duties and responsibilities,
and information will not be shared by other entities.
Refer to SORN 09-90-0018.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment (FPS) system, NIH Enterprise Directory (NED) system. The information contains IIF,
and submission of the data by personnel is mandated by each hiring mechanism.
Primary usage consists of the following:
a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby
avoiding any break in service;
b) ensuring that allocated FTE ceilings are maintained;
c) ensuring salary equality for various hiring mechanisms;
d) providing reports requested by the NIDA Director, and other management staff as requested;
e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring
appointments.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is downloaded from the HRDB, Data
Warehouse, and NEDs. Changes to HRDB, Data Warehouse, and NED or change’s in the way
information is used is relayed to employees via official notices from the NIH Office of Human
resources (OHR). Individuals are notified of the collection and use of the data as part of the
hiring process. This is a mandatory requirement of potential job applicants seeking employment
at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access and permission are granted based on
the “need to know” and “least privilege” principles based on the authorized user role. All users
of this system have taken mandatory annual Information Security Awareness training and
Privacy Awareness Course.
The system is resided on NIHnet which binds to NIH network security controls and all its
policies and procedures, including password policy and procedures. The website uses SSL for
encrypted communication between the server and the client.
The system reside in a building with 24x7 security guards, badge identification, visitor escort,
CCTv, and key cards access at restricted area.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark R. Green
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Extramural Project
System (NEPS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-9301-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): NIDA 1
7. System Name (Align with system Item name): National Institutes on Drug Abuse
Extramural Project System (NEPS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Delloso
10. Provide an overview of the system: NEPS is a NIDA corporate extension system to
IMPAC II. This system provides online management, reporting, and tracking of grant data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII is not shared nor disclosed with other divisions within this agency, external agencies, or other
people or organizations outside the agency
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Authority for collection of
this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR
Subpart 15.3 and Subpart 42.15. The IIF that the system captures on the public is obtained from
the NIH IMPACII system. This system does not directly collect information but rather retrieves
the information from the NIH IMPACII system. The IIF that the system retrieves is about
individuals employed by NIDA and involved in the grants business process. IIF includes name,
address, phone number, and financial account information. Most information supplied is
mandatory as it is needed to process a grant application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are no processes in place to notify and obtain
consent from individuals regarding the IIF used in this system when major changes have
occurred.
Forms used by NIH to collect Privacy information (such as PHS 398) clearly state the purpose of
the information being collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwor-ds, least privilege, separation of duties, firewalls, locks, badge access,
background investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, 301-435-1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA FOIA Express
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0058
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH NIDA Freedom of Information Act (
FOIAExpress)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lanette Palmquist
10. Provide an overview of the system: FOIAExpress is commercially available software used
to electronically store, retrieve, redact, and print/save documents for delivery to requesters. It
also keeps track of FOIA processing statistics and fees, and generates reports on the number,
types, and nature of FOIA requests processed, as required by the US Department of Justice. It
provides Freedom of Information (FOI) management and workflow control, dynamic case
management, correspondence management, with integrated document and records management,
eFOIA processing, workflow management and related scanning and redaction functions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information regarding the
requestor is entered in to the application. (1) The requestor information is not federal contact
data. The requestor information will not be disseminated. (2) The information is maintained in
order to complete the request from the requestor and log payment. (3) The information will
contain PII contact information regarding the requestor. (4) Submission of the information is
mandatory and is usually phone number, address, and name. Generally this is information
regarding a business. (5) information releasable under FOIA regualtions is scanned into the
system, redacted as necessary, and provided to the requestor.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) The requestors’ information is maintained in order
to complete a request and record payment for the request so the requestors’ information will not
be disclosed or affected by a major change in the system. (2) The requestors provide electronic
consent for the collection of privacy information at the time of the request. (3) The requestor’s
information is not shared and is used only to complete a request from the requestor.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The application is a Minor Child system and
resides on a server within the NIH accreditation boundary inheriting security control criteria
from NIH.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark R. Green, Deputy Director, OEA , NIDA 301.435.1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011?
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDA Internet Server
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mark Fleming
10. Provide an overview of the system: Website for the National Institute on Drug Abuse for
public use.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Log files for statistical
purposes.
The webserver logfile logs the following information
The Internet domain (for example, "xcompany.com" if you use a private Internet access account,
or "yourschool.edu" if you connect from a university's domain), and IP address (an IP address is
a number that is automatically assigned to your computer whenever you are surfing the Web)
from which you access our website
The type of browser and operating system used to access our site,
The date and time you access our site,
The pages you visit, and
If you linked to our website from another website, the address of that website.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, 301-435-1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Intranet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDA Intranet Server
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mark Fleming
10. Provide an overview of the system: Internal resources for NIDA staff.
The SOP has confirmed that there is no linkable PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Log files for statistical
purposes.
The webserver logs the following information
The Internet domain (for example, "xcompany.com" if you use a private Internet access account,
or "yourschool.edu" if you connect from a university's domain), and IP address (an IP address is
a number that is automatically assigned to your computer whenever you are surfing the Web)
from which you access our website
The type of browser and operating system used to access our site,
The date and time you access our site,
The pages you visit, and
If you linked to our website from another website, the address of that website.
There is no IIF data.
The SOP has confirmed that there is no linkable PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, 301-435-1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA IRP BSC Review
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIDA Intramural Research Program
BSC Review
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pei-Li Chao
10. Provide an overview of the system: Board of Scientific Counselors (BSC), developed in-
house, is hosted at a secure website to allow authorized external scientific review board members
to access NIDA IRP primary investigator’s (PI) curriculum vitae (CV), achievements, budget,
performance, and publications. Through this system, the initial performance review of a PI is
conducted by the scientific review board.
The goal of the BSC review process is to assist the Scientific Director by providing a rigorous
external scientific review of the Intramural Research Program, including the performance of the
intramural scientists and the quality of their research programs. To assure that the BSCs'
evaluations will be most useful to the Scientific Directors in their decision making, the BSCs
must be composed of individuals who themselves have outstanding scientific credentials and
who are committed to providing rigorous, objective reviews.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The goal of the Board of Scientific Counselor (BSC) review process is to assist the Scientific
Director by providing a rigorous external scientific review of the Intramural Research Program,
including the performance of the intramural scientists and the quality of their research programs.
BSC composed of individuals who themselves have outstanding scientific credentials and who
are committed to providing rigorous, objective reviews. Such as professors from Universities.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) NIDA IRP Primary
investigators' CV, achievements, budgets, performance, and publications.
(2) For preliminary performance review of the PIs by the scientific review board.
(3) It contains PII
(4) The applicaiton does not ask for submission of personal informaiton. PIs are instructed to
remove all personal and personal contact information from their CVs. The submission of
information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PI’s are notified about how the information will be used
or shared at the time their information (CV, budget, employment status, etc…) is submitted into
the system. By PI’s voluntarily submitting their information into the system they are providing
consent regarding the use of their PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access and permission are granted based on
the “need to know” and “least privilege” principles. Authenticaiton is handle by NIH External
Active Directory that also dictates strong password protection.
The system resids on NIHnet which binds to NIH network security controls and all its policies
and procedures, including password policy and procedures. The website uses SSL for encrypted
communication between the server and the client.
The system resides in a building with 24x7 security guards, badge identification, visitor escort,
CCTv, and key cards access at restricted area.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, Deputy Director, OEA, NIDA 301.435.1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA NIDA HQ GSS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIDA HQ Network
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita LoMonico
10. Provide an overview of the system: This is a local area network (LAN) that hosts NIDA
HQ servers and workstations to support the NIDA HQ mission. This LAN is an extension of
NIHnet. The system is a General Support System (GSS) and does not directly collect or store
information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on the GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA NIDA IRP Human
Research Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-9318-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0203
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIDA 5
7. System Name (Align with system Item name): Human Research Information System
(HuRIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pei-Li Chao
10. Provide an overview of the system: To collect and maintain a database for research
activities at NIDA/IRP. To enable Federal drug abuse researchers to evaluate and monitor the
subjects' health during participation in a research project. The areas of research include, but are
not limited to, biomedical, clinical, behavioral,
pharmacological, psychiatric, psychosocial, epidemiological, etiological, statistical, treatment
and prevention of narcotic addiction and drug abuse.
Authority: Public Health Service Act, Section 301(a) (42 U.S.C. 241(a)); Sections 341(a) and
344 (d) (42 U.S.C. 257(a) and 260
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The authorized users at the NIDA/IRP and other authorized individuals according to the Privacy
Act System of Records (SOR) Number 09-25-0203. This information is further addressed in the
NIH Privacy Act Systems of Record Notice 09-25-0203, published in the Federal Register,
Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The National Institute on
Drug Abuse (NIDA) recruits volunteers and screens these individuals for their acceptability to
participate in specific research projects. For this purpose, HuRIS is used to collect, manage and
maintain information on these participants. The collected data contains information in
identifiable form (IIF) and includes, but is not limited to: name, study identification number,
address, relevant telephone numbers, social security number, date of birth, weight, height, sex,
race, and social, economic and demographic data. In compliance with relevant regulations,
NIDA may disclose information to State or local public health departments. Submission of all
information by research participants is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information is strictly used for the purposes for
which consent has been obtained. No other use of the data is allowed which is outside the scope
of the existing consent; a major change in the research requires new consent. The participants are
made well aware of the usage of the information they provide and sign consent for which it is
obtained by Federal personnel that they are eligible to participate and consent.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Only authorized NIDA Intramural Research
Program staff are allowed access to these files. Physical Safeguards: Files and file rooms are
locked after business hours. Building has electronic controlled entry at all times with a 24-hour
security guard and television surveillance system. The computer terminals are in a further
secured area.
Procedural Safeguards: All users of personal information in connection with the performance of
their jobs protect information from unauthorized personnel. Access codes to the research records
are available only to the Principal Investigator and his/her research team. Access to the records is
strictly limited to those staff members trained in
accordance with the Privacy Act. The contractor staff members are required to secure the
information in accordance with the Privacy Act. Project Officer and contracting officials will
monitor contractor compliance.
Access to the Human Research Information System (HuRIS): The NIDA IRP computerized
medical and research record is strictly limited. All staff must be authorized to use the system and
be granted an access code (user name and password) by the system sponsor (NIDA, IRP Chief of
Biomedical Informatics). Passwords are required to be changed every sixty days. Access is
limited by job classification and is on a need to know basis only. Data entered is time and date
stamped by the staff member’s name. Data is not altered once entered. While logged into the
system, the name of the staff member is displayed on the screen. An activity log of each use is
kept. Data is backed up on a daily basis. Implementation Guidelines: These practices are in
compliance with the standards of Chapter 45-13 of the HHS General Administration Manual,
"Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS hf: 45-
13, and the HHS Automated Information Systems Security Program
Handbook. In addition, because much of the data collected in these esearch projects are sensitive
and confidential, special safeguards have been established. Certificates of confidentiality have
been issued under Protection of Identity - Research Subjects Regulations (42 CFR Part 2a) to
those projects initiated since February 1980. This authorization enables persons engaged in
research on mental health, including research on the use and effect of psychoactive drugs, to
protect the privacy of research subjects by withholding their names or other identifying
characteristics from all persons not connected with the conduct of the research. Persons so
authorized may not be compelled in any Federal, State, or local civil, criminal, administrative,
legislative, or other proceeding to identify such individuals. In addition, these records are subject
to 42 CFR Part 2, the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
(42 CFR 2.56), which state: "Where the content of patient records has been disclosed pursuant to
these regulations for the purpose of conducting scientific research...information contained therein
which would directly or indirectly identify any patient may not be disclosed by the recipient
thereof either voluntarily or in response to any legal process whether Federal or State."
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green, 301-435-1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA NIDA IRP Local
Area Network [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-01-02-9315-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIDA IRP Network
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pei-Li Chao
10. Provide an overview of the system: This is a local area network (Ethernet) that hosting
NIDA IRP servers and workstations to support IRP's mission. This LAN is an extension of
NIHnet with private T3 line connection. The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark R. Green
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Population
Assessment of Tobacco and Health Information Managment Core System
(IMS CS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/5/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): Westat internal project ID 8954
7. System Name (Align with system Item name): NIH NIDA Population Assessment of
Tobacco and Health Information Management System - Core Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kevin P. Conway, Ph.D.
10. Provide an overview of the system: The PATH IMS includes a set of core applications that
collect and store research and study operations data, including study participants’ PII as needed
to identify, contact, and follow-up with participants. These applications include: the Home
Office Management System (HMS), the Basic Field Operating Systems include the Interviewer
Management System and the Supervisor Management System (BFOS/IMS and BFOS/SMS,
respectively), the Multi-Mode Manager (M3), Blaise® survey instruments, the Blaise Editing
System (BES), and the BMC Remedy Magic (Secure Instance). The Home Ofice Management
System tracks overall information about the study sample, the status of field activities, and the
status of study participants as the study protocol unfolds. The BFOS/IMS (Interviewer
Management System) allows field interviewers to manage their cases, launch data collection
instruments, record contacts and contact attempts, and record study activity completion statuses.
The BFOS/SMS (Supervisor Management System) allows field supervisors to assign cases to
interviewers and track field activity in detail. The Multi-Mode Manager (M3) is a data transport
layer that allows flexible, secure communication between HMS, BFOS, and other applications
that collect or generate study data in different modes. Blaise is a commercial survey
instrumentation platform which Westat uses to develop and deploy the PATH data collection
instruments. Blaise itself is a tool; it is the Blaise instruments that collect the data, which is
stored in secure databases. The Blaise Editing System (BES) is a back-end system used to review
and clean data collected by the Blaise instruments. The Magic application tracks questions,
issues, and complaints reported by the public or by participants who call the PATH 800 number
or request information via the PATH website.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: For the PATH study, Westat
on behalf of NIDA will collect PII as necessary to identify, screen, enroll, and maintain contact
with study participants and potential participants. The data include name, address, telephone, and
other contact information as well as some information critical to informed consent and other
PATH protocol procedures such as date of birth. PII will NOT be disseminated beyond the
project in any form; it is only used to conduct study operations. Any data analyzed by PATH
investigators or other authorized investigators will have PII removed and will have undergone
appropriate non-disclosure review and modification. Any PII collected by PATH is strictly
voluntary. Study participants may refuse to answer any question, and may withdraw from
participation at any time.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Before participants enroll in the study, they are given a
detailed written explanation of the study’s purpose, methods, and the uses to which any
information collected will be put. At this time they are asked to sign a written general consent to
participate in the study, and notified that they may withdraw at any time without penalty. Prior to
specific study procedures, such as an in-home visit or a blood collection, study participants are
informed of the purpose of the activity and asked for consent again.
Participants will be notified of any substantive change to the system that would have any impact
on the original consent(s), and will be given an opportunity to withdraw their consent. If a
participant withdraws from the study, he or she may request that all study data collected about
them up to that time be destroyed, and PATH will comply with that request.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured on the system
through access controls, personnel security awareness and training, regular auditing of
information and information management processes, careful monitoring of a properly accredited
information system, control of changes to the system, by appropriate planning and testing of
configuration management and contingency processes, by ensuring that all users of the
information system are properly identified and authorized for access and are aware of and
acknowledge the system rules of behavior, by ensuring that any contingency or incident is
handled expeditiously, properly maintaining the system and regulating the environment it
operates in, by controlling media, by evaluating risks and planning for information management
and information system operations, by ensuring that the system and any exchange of information
is protected, by maintaining the confidentiality and integrity of the information system, and by
adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark R. Green; 301.435.1431
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/6/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Status of Funds
Internet Edition (SoFIE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): SOFie
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Stacy Gardner
10. Provide an overview of the system: The Status of Funds Internet Edition (SOFie)
application allows the divisions, branches, offices and the Financial Management Branch (FMB)
to track expenditures of appropriated funds within the IC througout the fiscal year. The program
contains a tracking mechanism to monitor prior year funds as well and the application downloads
information from nVision daily. Information entered into the SOFie database is not uploaded
into the nVision. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Status of Funds, Internet
edition (SOFiE) is a web-based application that provides advanced financial reporting, analysis
functionality, and balance of accounts. SOFie provides budgeting and planning tools, custom
budget category views, drill-downs for detailed spending analysis, and a Excel interface. The
application downloads information from the nVision system daily. Information entered into the
SOFie is not uploaded into the nVision system and does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Mark Green,
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD Content
Management System (CMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD Content Management Server (CMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susan Dambrauskas, 301-496-
7243
10. Provide an overview of the system: The CMS System is a comprehensive solution for
managing web content and support’s NIDCD’s mission to the general public. CMS allows
creation of dynamic web sites using extensible CMS controls. Users can create, publish, and
manage their own web content through the appropriate CMS control. NIDCD General public
sites are Internet and StemCell. Internal sites are NIDCD Intranet, NIDCD Board of Scientific
Counselors
and Advisory Council.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is used internally to NIDCD only. SOR # 09-25-0106 safeguards are used to ensure
only appropriate people have access to the information, and that they are aware of their
responsibilities for proper handling of the information. Contractors run and maintain the system
and are aware of the above.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Employee contact
information is pulled from the NIH Emplolyee Database (NED) system for all NIDCD
employees. Fields pulled are: First name, Last name, Phone number, e-mail address, org. unit,
Building number, room number, Fax number, NED Classification (employee, fellow, contractor
etc) and Mail Stop Code.
The information is displayed on the Intranet site and is used to facilitate communication between
employees. The NIDCD CMS system does not feed into any system.
The information is stored in identifiable form.
Inclusion is mandatory since inclusion in NED is mandatory for all people working at NIH who
require an ID badge and or AD account.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Consent for the listing of personal information in the
NIH Employee Database (NED) is given at the time they are hired \ begin working at the NIH.
No additional processes are employed by NIDCD to inform individuals when major system
changes are made to the CMS System, or to inform them how their information will be used or
shared on the CMS System.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is in an electronic system on
NIH secure network infrastructure and is password protected with access limited to only
authorized users. NIDCD periodically reviews and implements policies in line with HHS
guidelines.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Scot Ryder (NIDCD Alternate ISSO - 301.402.1128) or Debbie
Washington (NIDCD Privacy Coordinator - 301-451-9806)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD LMG (Olioga)
(LMG)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD Laboratory Molecular Genetics
Intranet [LMG Intranet] - Minor Application of NIDCD GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Morelll (5RC Staff
Scientist, 301.402.4249)
10. Provide an overview of the system: The NIDCD Laboratory of Molecular Genetics (LMG)
database system is a comprehensive solution for managing, tracking laboratory
specimens\supplies stored in laboratory freezers. The LMG Intranet system supports
approximately 32 users in the NIDCD LMG Group located at the 5 Research Court facility.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is used internally only. SOR # 09-25-0200 safeguards are used to ensure only
appropriate people have access to the information, and that they are aware of their
responsibilities for proper handling of the information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information contained
in the LMG System includes patient first name, last name, close familial relation to other
individuals contained in the system (such as father, mother, brother, sister, aunt, uncle etc),
Hearing loss status (affected vs. not affected), Gene mutation information , only where it relates
to the hearing loss trait.
The information is used as part of an IRB approved study to identify, and better understand the
relationship between hearing loss and genetics.
The information is stored in Identifiable Form
Inclusion in the study and therefore this database is completely voluntary and there is a process
by which a subject can request that they no longer be included in the study \ database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Patients are informed in writing concerning how their
information will be collected, used, and shared during the course of the study. Patient consent
for the use of their information is obtained prior to inclusion in the study.
No additional processes are employed by NIDCD to inform individuals when major system
changes are made to the LMG System.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF is secured using layered security
practices. The information is contained in a password protected database. Physical security of
the building does not allow unauthorized people to enter, and the computer facilities are further
protected by locked doors. Multiple layers of firewalls also ensure that only appropriate network
traffic is allowed to pass.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Scot Ryder (NIDCD Alternate ISSO, 301.402.1128) / Debbie
Washington (301-451-9806)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD Microsoft Office
SharePoint Server Intranet (MOSS Intranet)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD Microsoft Office SharePoint Server
Intranet (NIDCD MOSS Intranet)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Walter Mehlferber
(301.402.1128)
10. Provide an overview of the system: The (NIDCD MOSS Intranet) system is a
comprehensive solution for managing web content and support’s NIDCD’s mission. The
(NIDCD MOSS Intranet) system allows creation of dynamic web sites using extensible MOSS
controls. Users can create, publish, and manage their own web content through the appropriate
MOSS controls. The (NIDCD MOSS Intranet) system is for NIDCD internal office use.
(Currently in developement; 08-01-10)
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: System hosts internal
SharePoint collaboration websites. System entered production may 2012. Q14. Identify the life-
cycle phase of this system: Operations and Maintenance. The system does not feed into any
system. (DOES NOT COLLECT PII)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System entered production may 2012. Q14.
Identify the life-cycle phase of this system: Operations and Maintenance. Information is in an
electronic system on NIH secure network infrastructure and is password protected with access
limited to only authorized users. NIDCD periodically reviews and implements policies in line
with HHS guidelines.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Scot Ryder (NIDCD Alternate ISSO - 301.402.1128) or Debbie
Washington (NIDCD Privacy Coordinator - 301-451-9806)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD NEI/NIDCD Usher
Database
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No, the system does not meet the requirements
for a UPI.
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NEI / NIDCD Usher Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Julie Schultz -
[email protected] /Walt Mehlferer (NIDCD CIO, 301-402-1128)
10. Provide an overview of the system: Centralized repository for storage and analysis of
clinical data produced by NEI and NICDC researchers studying Usher Syndrome. FileMaker Pro
database that will store clinical and genetic data from Usher Syndrome research subjects
collected by NIH investigators
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is used internally only. Safeguards are used to ensure only appropriate people have
access to the information, and that they are aware of their responsibilities for proper handling of
the information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Investigators will collect
patient history, clinical evaluations (audiologic testing, vestibular testing, and ocular testing) and
molecular testing. The data and test results will be entered into and stored in the Usher
Database.
This database will allow the investigators to share and analyze said data and will improve
researcher efficiency versus using a paper-based data collection system.
Yes. the information is PII. (Name, Personal Mailing Address, Personal Telephone Number,
Medical Record Numbers, and Medical Notes)
Research subjects sign informed consent to participate in the study and are able to withdraw
from the study at any time.
Inclusion in the study and therefore this database is completely voluntary and there is a process
by which a subject can request that they no longer be included in the study database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Investigators will collect patient history, clinical
evaluations (audiologic testing, vestibular testing, and ocular testing) and molecular testing.
Patients are informed in writing concerning how their information will be collected, used, and
shared during the course of the study.
Patient consent for the use of their information is obtained prior to inclusion in the study.
No additional processes are employed by NIDCD to inform individuals when major system
changes are made to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF/PII is secured using layered security
practices. The information is contained in a password protected database. Physical security of
the building does not allow unauthorized people to enter, and the computer facilities are further
protected by locked doors. Multiple layers of firewalls also ensure that only appropriate network
traffic is allowed to pass
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: NIDCD Alternate ISSO, Scot Ryder 401-402-1128; Privacy Coordinator,
Debbie washington 301-451-9806
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD NIDCD Employee
Database Internet Edition [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIDCD Employee Database Internet Edition
(NIDCD EDIE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Luis Ochoa/Scot Ryder (NIDCD
ISSO, 301-402-1128)
10. Provide an overview of the system: NIDCD EDie system is a personal tracking system for
internal use only PHS Act Section 301. The NIDCD EDie system application supports the efforts
of the Office of Resource Management’s (ORM) Administrative and Financial Management
Branches with tracking employee information. The application downloads this information from
the Human Resource Database (HRDB) weekly. Information entered into the NIDCD EDIE
system database is not uploaded into the HRDB.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected is
all information pertinent to a personnel file.
(1) The information contained in the system ONLY represents federal contact data. (Employee
Name, Date of Birth, Employee Status, Organizational Unit, Employment End Date, and Salary
Information)
(2) There are many uses for this information: (a) tracking a time-limited appointment to ensure
renewals are done in a timely manner thereby avoiding any break in service; (b) ensuring that
allocated FTE ceilings are maintained; (c) ensuring salary equality for various hiring
mechanisms; (d) the ability to provide reports requested by the NIH Director; (e) maintaining
lists of non FTEs, special volunteers, contractors, etc. Information is mandatory at time of hire.
(3) The information contains PII. (Employee Name, Date of Birth, Employee Status,
Organizational Unit, Employment End Date, and Salary Information)
(4) Submission of personal information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is collected from documents provided by
employees (CV, resumes, etc) at the time of appointment. It is provided in personnel packages
submitted through channels in order to affect a hire. This information is put into the EHRP
system and subsequently downloaded into NIDCD EDIE system. Individuals are notifed of the
collection and use of data as a part of the hiring process. Changes to the system or use of the
information is relayed to employees via official notices from HR.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This information is provided to key staff by
the administrator. The system is authorized only with a person who has a proper access rights
with user name and password. The system is secured in an office with locks and the building is
secured by the security guard.
Information is in an electronic system on NIH secure network infrastructure and is password
protected with access limited to only authorized users. NIDCD periodically reviews and
implements policies in line with HHS guidelines.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: NIDCD Alternate ISSO Scot Ryder, 301.402.1128 & NIDCD Privacy
Coordinator (Debbie Washington,301.451.9806)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD NIDCD General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No, the system does not meet the requirements
for a UPI.
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD General Support System [NIDCD
GSS]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Walter Mehlferber (Network
Chief, 301-402-1128)
10. Provide an overview of the system: NIDCD General Support System [NIDCD GSS] is an
interconnected set of information resources under the same direct management control that share
common functionality. Examples of interconnected information resources include data centers,
local area networks, workstations and servers that support multiple NIDCD applications. These
systems provide information processing services for National Institute of Deafness and Other
Communications Disorders' (NIDCD) medical research programs and management programs as
well as Department of Health and Human Services (DHHS) and other government agency
management programs. The information technology equipment supporting these services are
operated and maintained by NIDCD's Information Systems Management Branch.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Scot Ryder (NIDCD Alternate ISSO 301-402-1128; Debbie Washington
(NIDCD Privacy Coordinator) 301-451-9806
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD Otobase
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD Otobase Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carmen Brewer (NIDCD Clinic
Audiologist, 301.496.5294), ChristopherZalewski (NIDCD Clinic Audiologist, 301.496.5145)
10. Provide an overview of the system: The Otobase system is used to collect hearing test data
directly from the audiometer. It is used to a) generate an audiogram (which would otherwise be
hand written), b) store hearing test data. Storing the data in this way provides instant access to
past audiograms, and a searchable data base for purposes of research. The computers are all
password protected and in addition, access to otobase requires entry of another password.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is used internally only. SOR # 09-25-0200 safeguards are used to ensure only
appropriate people have access to the information, and that they are aware of their
responsibilities for proper handling of the information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) NIDCD clinicians will
collect patient history and clinical evaluations (audiologic testing notes). The data and test results
will be entered into and stored in the NIDCD Otobase Database.
(2) This database will allow the clinicians/researchers to share and analyze data and will improve
researcher efficiency versus using a paper-based data collection system.
(3) Yes. the information is PII - (Name, Date of Birth, Medical number, Medicate notes)
(4) Patient subjects sign informed consent to participate in the study and are able to withdraw
from the study at any time. Inclusion in the study and therefore this database is completely
voluntary and there is a process by which a subject can request that they no longer be included in
the study \ database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Clinicians/Researcher will collect patient history,
clinical evaluations (audiologic testing). Patients are informed in writing concerning how their
information will be collected, used, and shared during the course of the study. Patient consent for
the use of their information is obtained prior to inclusion in the study. No additional processes
are employed by NIDCD clinician/researchers to inform individuals when major system changes
are made to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF/PII is secured using layered security
practices. The information is contained in a password protected database. Physical security of the
building does not allow unauthorized people to enter, and the computer facilities are further
protected by locked doors. Multiple layers of firewalls also ensure that only appropriate network
traffic is allowed to pass.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: NIDCD Alternate ISSO, Scot Ryder 301-402-1128; Debbie Washington
301-451-9806 (Privacy Coordinator)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 0
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCD Status of Funds Internet [NIDCD
SOFIE]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mark Rotariu (NIDCD Budget
Officer, 301-402-0497)
10. Provide an overview of the system: SOFie is a Web based application. The SOFie
application supports the efforts of several offices and branches within NIDCD, allowing budget
offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year.
Additionally, SOFie is used to reflect budget allocations and projected expenditures at the
operating level. The program also contains a tracking mechanism to track prior year funds. The
application downloads this information from the NIH Data Warehouse weekly. Information
entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is
not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII is collected.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No PII is collected.
Accounting data and related document information is downloaded from a central accounting
mainframe and is relevant or specific to an institute or center for its fiscal year operations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII is collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NO PII IS COLLECTED BY THIS
SYSTEM
Information is in an electronic system on NIH secure network infrastructure and is password
protected with access limited to only authorized users. NIDCD periodically reviews and
implements policies in line with HHS guidelines.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Scot Ryder NIDCD Alternate ISSO 301-402-1128; Debbie Washington
NIDCD Privacy Coordinator 301-451-9806 (8/12/2011, 2012)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Employee
Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIDCR Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ginger Betson
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018,
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The information collected constitutes PII and is mandatory for all employees. The following PII
is included in the system name, date of birth, social security number, personal mailing address,
personal phone numbers, personal email address, education records and employment status
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located on a server in a secure server room behind
the NIH firewall. Physical controls include cipher locks, key cards, CCTV and identification
badges for access to servers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kajuana Canady (301) 594-4855
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/29/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: 42 U.S.C. 203, 241, 2891-1 and 42
U.S.C. 3101 and Section 301 of the Public Health Act. (*Periodically we run the American
Customer Satisfaction Index (ACSI) survey on the NIDCR website).
6. Other Identifying Number(s): NIDCR-8
7. System Name (Align with system Item name): NIDCR Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jody Dove
10. Provide an overview of the system: The web site disseminates information about oral
health, research advances, funding and training opportunities, and Institute priorities to
researchers, patients, health care providers, policymakers, and the public.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
SOR 09-25-0106; The SOR on file for this system contains language which details potential
disclosure of information practices. NIDCR will comply with the SOR. A) The information
collected through the publication order form is disclosed only to specific clearinghouse staff so
they can process the orders and mail out publications to those who have requested them.
B) The NIDCR website also offers users the option to sign-up for the Institute E-Newsletter.
This Listserv list -- NIDCR-NEWSLETTER -- is hosted by the NIH Listserv facility at CIT and
has the same privacy policy as all Listserv lists they host:
https://list.nih.gov/LISTSERV_WEB/privacy.htm. The NIDCR-NEWSLETTER listserv list is
only disclosed to the owners of the list for the purpose of managing, validating, and maintaining
the subscriptions with the subscribers' consent.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: A) If someone wishes to
order a publication they must supply the following IIF information: name, address, and phone
number. This information is required to mail the publication. But it is entirely up to individuals
to decide if they wish to order publications.
B) If someone wishes to subscribe to our e-newsletter, they must supply the following IIF
information: name and e-mail address. This information is required to e-mail them the
newsletter. The sign-up is entirely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NIDCR does not plan to make any changes to the
system. However, if a change were to occur:
A) NIDCR would post a written notice directly on the publication order form to inform
individuals of this change. The publication order form makes clear what information is being
collected (name, address, and telephone number) and why (to mail out publications that an
individual requests). The order form states that this information is shared only with our
clearinghouse for the purpose of complying with the individual’s publication request.
B) Likewise, NIDCR does not plan to make any changes to the e-newsletter sign-up. However,
were a change to occur, a notice would be placed directly on the sign-up page to inform
individuals of this change. The e-newsletter sign-up page makes clear that the individual's name
and e-mail address will only be used for the purpose of e-mailing the newsletter.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: A) If someone wishes to order a
publication, they must supply their name, address, and phone number through the publication
order form on the NIDCR web site. The information is stored and managed by our
clearinghouse, IQ Solutions. Access to IIF requires a password for system access. Such access
is limited to authorized system users, administrators, developers, and information technology
support personnel.
B) The following security controls are in place for the NIDCR-NEWSLETTER Listserv: IIF
will be secured on the system using Listserv basic administrative access control. Only the
Listserv designated owners with valid e-mail accounts can manage specific Listserv lists through
the NIH Listserv Secured Web User Interface (https). Except for the Listserv system
administrators, no one can have access to the Listserv console. Every issued command is
validated and confirmed via email (smtp) from/to [email protected]. The Listserv system
also is secured inside the data center following the NIH Security for NIH servers:
http://www.cit.nih.gov/ServiceCatalog/DATACENTERSECURITY.HTM
In addition, e-mail distribution to the Listserv is scanned using the best possible virus protection
from the NIH Central e-mail system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kajuana Canady / 451-3392
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR NIDCR GSS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 9/18/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIDCR LAN
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Prue (301) 594-7552
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Science Coding
and Reporting System (SCORE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/18/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7304-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): NIH 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIDCR-03
7. System Name (Align with system Item name): Scientific Coding and Reporting (SCORE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Timothy Iafolla
10. Provide an overview of the system: SCORE is a scientific coding system that assigns
science coding terms to specific grants, projects, and contracts funded by NIDCR. SCORE
draws information about funded grants from the NIH enterprise system on grants (IMPAC II),
and then adds NIDCR-specific science coding information. SCORE is used primarily for budget
reporting, program evaluation, and other analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The SCORE system does not currently share or disclose IIF information. It is covered by the
SOR NIH 09-25-0036 for potential disclosures.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All IIF in the SCORE
system is collected and maintained by the NIH enterprise system IMPAC II. SCORE stores this
information but does not collect or disseminate it.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This process occurs through the NIH enterprise system
IMPAC II. SCORE does not have separate procedures for this activity because all IIF in the
SCORE system is downloaded from IMPAC II.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include role-based
assignments and limited access. Technical controls include strong password authentication,
firewall protection, and administrative logs. Physical controls include cipher locks, key cards,
CCTV, and identification badges for access to database servers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kajuana Canady/451-3392
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR SOFie
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/18/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDCR Status of Funds Internet
Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: George J. Coy
10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool
that enables NIH ICs to manipulate and report on financial transactions downloaded from the
Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance
database comprises data downloaded from the NIH Business System).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No sharing or disclosures at this time.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Accounting transactions
related to payroll, grants, contracts, and procurement of goods and services. IC accounting
transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse.
The data contains no IIF information and it used to plan, track, and report on IC fiscal budgets.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kajuana Canady/301-451-3392
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK CellManage
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): CellManage
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Frank L. Holloman
10. Provide an overview of the system: CellManage is a database system that allows for
efficient wireless communication procurement and management. The system allows a singular
procurement purchase to cover the needs across several wireless providers/vendors. CellManage
allows increased maintenance and oversight through consolidated reporting features. Database
compiles multiple bills in one platform.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIDDK will be collecting
the same information that is already listed on each wireless communication bill; i.e. call details
such as minutes used. Instead of certifying paper bills, employees will certify bills via the
electronic system. No IIF is contained. NIDDK will be collecting the information to gain more
oversight on its wireless devices.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) NO IIF is contained in the system therefore there is no
policy in place in regards to notifying individuals about changes to the new system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NO IIF is contained in the system but
administratively, access to the data will be limited to a system administrator who will assign
access to individuals to review their own account. The server for the system is located within
NIDDK's server room, which follows federal guidelines for technical and physical security.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Frank L. Holloman - 301-496-3670
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Clinical Research
Core
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 09-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIDDK Clinical Research Core
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bethel Stannard
10. Provide an overview of the system: The Clinical Research Core is an intramural NIDDK
system that manages the clinical research patient samples and tracks their location and quantity
used by Principal Investigators (PIs) , or sent for testing at other clinical laboratories at NIH or
outside NIH. At a future time, the database may be linked to CRIS by the patient's medical
record number (MRN). The CRC addresses the needs of the intramural research staff and is
tailored to meet the needs of a diverse range of studies.
The driving factors for use of the CRC are:
- Provide a means to handle the specialized requirements of NIDDK study processes and
samples;
- Provide a mechanism for tracking the locations of the large volume of clinical samples; and,
- Allow for retrieval of data and samples for research purposes.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Yes, within NIH for clinical research only. This information, voluntary and consenual by the
patient, regards diagnostic problems with scientific value that is only disclosed to appropriate
medical researchers in connection with treatment of patients. The primary use of this
information is to provide medical treatment at NIH. This information may be disclosed to
researchers for research purposes and to HHS personnel to monitor personnel to assure that
safety standards are maintained. Submission of this information is voluntary. In addition, the
patient is notified that some notification or counseling of current and/or ongoing partners may be
carried out through arrangements with, or referral to, local public health agencies. This includes
the physician who referred them for treatment, and for certain communicable diseases, including
AIDS and symptomatic HIV infection, to appropriate State and Federal government agencies, in
accordance with the routine uses cited by SORN 09-26-0099. Recipients are required to
maintain Privacy Act safeguards with respect to these records at all times.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information and
samples are collected from patients, outside medical entities, and the NIH Clinical Center. This
information is voluntary with the consent of the patient for clinical research only within NIH.
The collected data is used as an aid for clinical personnel as well as the basis for research in
various diverse groups. The data consists of first name, last name, and middle initial; MRN
(patient's medical record number); diagnosis and medication (liver group only); protocol number;
study number; physician name; type of sample; storage location (room, freezer, shelf, rack, box,
position in box); release of samples, including amount, date, to whom sent, and sample return
date. Identifiable samples are released to the responsible PIs for research testing and to NIH
clinical laboratories for clinical testing. Coding samples may be sent outside NIH for clinical or
research testing without disclosure of the patient's identity.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Collections and use: Prior to any treatment and
collection of medical data and samples, the patient signs a protocol consent form. Via consent to
medical treatment and study, the patient is implicitly acknowledging the collection of medical
data. The protocol consent form explicitly addresses the use and distribution of the data and
samples with respect to confidentiality and the Federal Privacy Act.
System changes: There is a mechanism to amend the consent based on protocol changes.
Patients are required to sign any new approved amendments. This mechanism could be used to
cover changes in data policy and/or usage.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical, physical, and administrative
controls are in place to ensure the security of the information. The application enforces assigned
authorizations for controlling role-based access torecords at the application level using user
identification and password. Role-based access is limited to the nurses and doctors conducting
patient data and sample collection and research. Restricted access to privileged functions are
additionally enforced by limiting such access to only system administrators, programmers, and
database administrators supporting the Clinical Research Core application.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK EDie
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): EDie
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gwendolyn Proctor
10. Provide an overview of the system: EDie is an n-tiered, web-based Intranet application
consisting of server hardware and operating system software to maintain two databases for
interface with the target SQL server.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System does not share, only download employee information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Employee Database
Internet Edition (EDie) application is a web-based employee management tool for access to NIH
human resource data as an enhanced version of VEDS (Visual Employee Database System) that
it replaces. It is used by multiple Institutes within NIH to track NIDDK employee information
on salary, benefits, education, awards, disabilities, retirement eligibility, and other human
resource information. Access to information through EDie is restricted to specific users to
perform their assigned functions and access privileges are enforced through authentication
through the NIH Active Directory access controls for authorized access.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Collection and use: Information from NIH human
resource records used to perform various HR activities to benefit employee. The employee
provides data and consent during initial employment process upon hiring for employment with
the Federal government.
System changes: Employees are notified of any system protocol changes based on data policy
and/or usage with associated updating of employee consent if required.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical, physical and administrative
controls are in place to ensure the security of the information as described within the System
Security Plan, with regular backup of data and contingency planning to restore information from
any disruption and annual security awareness training refresher sessions for personnel. The
system is certified and accredited as a minor application within the general support system
providing IT services to NIDDK.
The information is secured through multiple levels of security and access controls established to
verify the user's identity and authentication to determine user authorization for access and to
perform actions requested. The access controls are supplemented with secure network services
at both the NIH and NIDDK levels.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Internet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDDK Internet Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Roberta Albert
10. Provide an overview of the system: The NIDDK Internet Web site system includes the
development and mainentance environment for all public Web sites hosted by NIDDK. These
Web sites serve as communication tools for disseminating information to support the mission of
the Institute.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
On http://intramural.niddk.nih.gov IIF from Intramural researchers is displayed to the general
public in order to provide contact information and a description of the research conducted.
Ref.SOR #: 09-25-0106
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system hosts web based
forms that offer one way the public can communicate with NIDDK. These forms are designed to
collect a name, mailing address, phone number, comment, or email address; however, the user is
never required to provide this information. This information is then forwarded via email to
either NIDDK’s webmaster or the Office of Public Liaison. (This information is never captured,
stored or maintained on the web system.) The forwarded email communication, when received
by the designated office, is addressed and then promptly deleted. The Office of Public Liaison
may keep email for several months in order to provide follow up actions.
IIF from Intramural researchers (name, photograph, lab location, email address, lab phone, lab
fax, research statement, education info, and publications) is collected and stored through
NIDDK’s Intranet system and displayed on the Internet system (public access web pages). For
example please see http://intramural.niddk.nih.gov/research/alphafaculty.asp. The submission of
information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All NIDDK Web pages display a link called “Privacy”
which directs users to our Institute’s privacy policy. This page can be seen at
http://www.niddk.nih.gov/tools/privacy.htm.
This page explains that NIDDK does not capture personally identifiable information unless
provided by the user. This page also offers contact information for NIDDK’s Privacy officer, in
the event the user has additional questions.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NIH NIDDK Internet Web site system does
not store IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Intranet Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDDK Intranet Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Roberta Albert
10. Provide an overview of the system: The NIDDK Intranet Web site system provides and
manages information that supports the work of NIDDK employees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The IIF collected by the Intranet system is only shared/disclosed to NIDDK staff responsible for
managing that information. Ref SOR # 09-25-0216
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIDDK Intranet uses a web
based form to collect staff registration information for Institute retreats. The type of information
collected includes staff name, lab address, phone number, email address, whether they are
presenting, special dietary requirements, transportation needs and roommate preference. This
information is only used by administrative staff responsible for organizing these retreats.
Supplying this personal information through the system is NOT mandatory.
In addition, another form collects Investigator information such as name, lab address, email,
education, research statement, publications, research interests, and a photograph. This
information is posted on the public facing website located at http://intramural.niddk.nih.gov .
Only web staff and owner of the content have direct access to this information within the intranet
web system. The submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Both web forms display language that indicates the
intended use of the collected information and provides contact information for the staff handling
this collected information. The forms that collect Investigator information (for display on the
public website) additionally contain a link titled “Privacy” which leads to a page that posts
NIDDK’s privacy policy and provides contact information for NIDDK’s Privacy Officer.
Investigators are required to review and update their own information on a yearly basis. All
changes to the system are approved by an Intramural Web Advisory Group and then
investigators are notified via email.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The Intranet web system requires user
authentication provided by active directory. Further controls are put in place on individual IIF
containers. The IIF for staff retreats are contained within a spreadsheet in a restricted folder.
This folder can only be accessed by web and administrative staff responsible for retreat. The IIF
for the public facing website can only be accessed by web staff and the owner of the content. All
IIF are contained on servers that are located behind firewalls, password protected and are
physically locked in a server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK NIDDKnet
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 09-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIDDK NIDDKnet General Support
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Chuck Pham
10. Provide an overview of the system: The NIH NIDDK NIDDKnet is a series of Local Area
Networks (LAN) to form a general support system to facilitate management of network services
for data processing and communications needs, providing authorized access to information
systems and major applications within the NIH infrastructure. NIDDKnet provides a common
network environment under a single authority (NIDDK) and security measures to connect
servers, workstations, printers, networks, applications, storage devices, and other IT devices,
regardless of physical location, to enable users to share resources and communicate directly with
each other over a moderately-sized geographic area for connection to the NIHnet.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Yes, within NIH for clinical research only.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIDDKnet supports data
and communication needs to share network devices and and functions within NIDDK and to
access resources provided by NIH, including appropriate protocols and related services for
retrieval of data for research purposes and administrative functions. Applications and databases
processing, storing and transmitting clinical research information that contain PII, are transmitted
using network services supported by NIDDKnet. The information that NIDDK collects from
patients, outside medical entities, and the NIH Clinical Center are used as an aid for clinical
personnel as well as the basis for research in diabetes, digestive, and kidney diseases. The data,
dependent on major application collecting and storing the data, consists of basic demographics,
laboratory test results, medications, diagnostic images and other medical data. This data is the
minimum necessary to present a clinical description of a patient and to allow retrostrective
research on clinical outcomes. Data submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Collection and use: Prior to any treatment and
collection of medical data, the patient signs a protocol consent form. Via consent to medical
treatment, the patient is implicitly acknowledging the collection of medical data. The protocol
consent form explicitly addresses the use and distribution of that data with respect to
confidentiality and the Federal Privacy Act.
System changes: There is a mechanism to amend the consent based on protocol changes.
Patients are required to sign any new approved amendments. This mechanism could be used to
cover changes in data policy and/or usage.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical, physical and administrative
controls selected from NIST SP 800-53 and the NIH Enterprise Information Security Plan (EISP)
are in place to ensure the security of the information. The general support system and
component applications operating within a defense-in-depth approach for managing the
resources of people, technology, and operations provide a mechanism to enforce assigned
authorizations for controlling role-based access to records at the application-level using user
identification and password consistent with the assigned privilege level for their individual
access accountability. Role-based access is limited to the nurses and doctors conducting patient
data collection and research. Restricted access to privileged functions additionally uses the
enforcement mechanism of two-factor authentication using RSA tokens. Privileged access is
limited to the system administrators, programmers, and database administrators supporting
specific applications or those assigned to support network devices and operations at the general
support system level.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Research Data
Storage and Analysis [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8412-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIDDK Patient Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tahir Rameez
10. Provide an overview of the system: Medical data storage and analysis system involving the
study of diabetes, obesity and related diseases among American Indian tribes, in particular the
Pima of Arizona.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is made available to designated administrative personnel for data collection and maintenance.
IIF is made available to designated NIH research scientists for analysis in the context of diabetes
and obesity research and treatment. Data is shared with Indian Health Service and the Gila River
Indian Community through the Gila River Health Care Corporation, both as research findings
and as records affecting patient care.
Also see Privacy Act System of Records (SOR) Number 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Medical data is collected
under IRB approved protocols at periodic examinations in support of various research studies
among native Americans principally involving diabetes and obesity. The data contains IIF.
Participation in the research as well as submission of the IIF is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Subjects are required to sign a consent form before any
information can be collected. The form describes what is to be collected, the reasons therefor,
and the destination of that data.
In the event of a major system change subjects still living will be asked to re-consent to such
changes. Ongoing demographic data is maintained by the system to facilitate contacting of
subjects.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Computerized copies of the data collected
are physically maintained on a computer server. Paper records are maintained in a designated
records room. Both the server and paper records are protected by key entry doors and further
protected 24/7 by security guards in the context of overall campus security. Access to both
systems is restricted to personnel determined administratively on a need to know basis. Access
to computerized data is password restricted to authorized personnel.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Status of Funds
Internet Edition (SoFIE)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Status of Funds - Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gwenoldyn Proctor
10. Provide an overview of the system: SOFie is a web-based application supports several
offices within NIH for authorized users for financial reporting and analysis functionality,
including tracking expenditures within a fiscal year (FY).
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: SOFie provides NIDDK
with distributed budgeting and planning tools for detailed spending analysis of data within the
NIH financial reporting system as an enhanced version of the Visual Status of Funds (VSOF)
that it replaces and is not a source database for other information systems.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) System does not process PII to obtain consent. Data
consists of IC financial expeditures.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII is not used. The SOFie application is
used by multiple Institutes within NIH to track NIDDK budget and other financial expediture
information. Access to information through SOFie is restricted to specific users to perform their
assigned functions and access privileges are enforced through authentication through the NIH
Active Directory access controls for authorized access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Technology
Transfer (TTTS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0168
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): 09-25-0168
7. System Name (Align with system Item name): Technology Transfer Tracking System
Health Service by its Employees, Grantees, Fellowship Recipients, and Contractors,
HHS/NIH/OD
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Patricia Lake
10. Provide an overview of the system: The Technology Transfer Tracking System (TTTS) is
a commercial off-the-shelf (COTS) product developed by Knowledge Sharing Systems that is a
customizable database application for managing and tracking data and processes related to
protecting and transferring technologies including patenting and agreements negotiations and
pre-issuance and post-execution monitoring. The TTTS system enables the Office of Technology
Transfer Development to identify legal deadlines, store agreements and technologies, provide
information access to technology managers and investigators, track events, and automate
processes. The system automatically generates documents, logs events, and logs due dates when
certain criteria are met or triggers are hit.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Only employees of NIDDK and contractors working on the NIDDK domain can access the
names, work addresses and phone numbers in the system provided for the purpose of contacting
or tracking contacts of the persons who provided their information for that person. Reference
SOR # :09-25-0168
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system contains PII in
the form of cell phone numbers and also contacts information, including name, work address,
work e-mail address, work phone numbers and in a few instances, for persons who are involved
in collaborations or negotiations for collaborations with NIDDK or for transfer of scientific
materials, including NIDDK employees. The information is used to contact persons for
communications involving the relevant collaboration or request. No particular information is
mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No processes are in place to notify individuals whose
information is in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is accessible only through a
username and password. The policy for passwords is that they include at least one number and at
least one capital letter. Only the administrative access permits permissions of users to be
provided or removed. The system is operated and accessed only on government-owned
computer systems, behind a firewall. The user must be accessing the system from a recognized
and previously-identified static IP address from within the NIDDK.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Teleresults
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NIDDK P.O. number 263-MK-015345 for Teleresults
7. System Name (Align with system Item name): Teleresults
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Michael Ring
10. Provide an overview of the system: The Teleresults/Lab Grabber system manages the
clinical and research data for patients of the Transplant Lab (Kidney Disease Branch) and the
Diabetes Branch. The system was installed specifically for the needs of the solid organ transplant
floor, but its use now includes other patients as well.
The driving factors for the installation of the system were:
- Provide a means to handle the specialized requirements of transplant processes
- Provide a location to save the large volume of outside clinical data
- Allow retrieval of data for research purposes.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Walter Reed Army Medical Center for medical evaluation and consults. In addition, please refer
to SOR #09-25-0099
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information is collected
from patients, outside medical entities, and the NIH Clinical Center. The collected data is used as
an aid for clinical personnel as well as the basis for research in organ transplant and
immunology. The data consists of basic demographics, laboratory test results, medications, and
other medical data. This data is the minimum necessary to present a clinical description of a
patient and to allow retrospective research on clinical outcomes. Data submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Collection and use: Prior to any treatment and
collection of medical data, the patient signs a protocol consent form. Via consent to medical
treatment, the patient is implicitly acknowledging the collection of medical data. The protocol
consent form explicitly addresses the use and distribution of that data with respect to
confidentaility and the Federal Privacy Act.
System changes: There is a mechanism to amend the consent based on protocol changes. Patients
are required to sign any new approved amendments. This mechanism could be used to cover
changes in data policy and/or usage. Given the nature of the system (clinical/research), we have
had no need for such amendments based on data policy nor do we anticipate any.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Technical, Physical and administrative
controls are in place to ensure the security of the information. These include an up to date
System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security
awareness training for all personnel. The system is certified and accredited.
The information is secured through multiple levels of security and access controls have been
established to authenticate the user and to determine if the user has the authorization to perform
actions requested. The access controls are supplemented with a secure network at both NIH and
NIDDK.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Cyrus Karimian
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Career Trac
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: 0925-0568
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIEHS CareerTrac
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christie H. Drew
10. Provide an overview of the system: CareerTrac is a trainee tracking and evaluation system
for several NIH Institutes. The goal of this system is to track long-term trainee outcomes for
specific trainees supported by NIEHS, FIC and NLM. The system allows extramural and
intramural PIs to track trainee's accomplishments. Most extramural PIs are required to track
outcomes for 10 years as a condition of their grant award. We will use the system to conduct
assessments and evaluations on trainee productivity, career outcomes, and successes. CareerTrac
is a collaborative database used by multiple ICs, including NIEHS, FIC and NLM. This PIA
covers all ICs. As new partners join the system, we will update the PIA accordingly.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NIH evaluation staff for review and evaluations; intramural and university principal investigators
and their administrators responsible for data entry.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The system will collect,
track, and report on information about NIH-supported trainees, such as trainee name, contact
information, biographical information, training information, and subsequent career information.
The system also supports tracking of trainees' accomplishments, such as fellowships, awards,
employment, education, product of policy development, publications, funding received,
presentations at conferences, and students mentored.
(2) The agency will use this information to evaluate the long-term outcomes of training program
investments and make recommendations for improvement. The information may be aggregated
for reporting purposes to other organizations, such as DHHS, Congress and other organizations
interested in training investments and outcomes.
(3) The information contains PII.
(4) Submission of personal information is mandatory for trainees who are officially appointed to
Institutional training grant programs supported by NIH, but is voluntary for trainees who are
supported by grants that do not require formal appointments through X-Train.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) None
(2) Trainees who are officially appointed to the program via X-Train are aware that NIH collects
data about them, based on the conditions of their awards. For all other trainees entered into the
system, CareerTrac will provide an electronic notification to trainees about the purpose of the
data and how it will be used and shared. We request that trainees read the Privacy Act
Disclosure and sign a Certificate of Acceptance form, which is clearly documented in
CareerTrac.
(3) The agency will use this information to evaluate the long-term outcomes of training program
investments and make recommendations for improvement. The information may be aggregated
for reporting purposes to other organizations, such as DHHS, Congress and other organizations
interested in training investments and outcomes.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The following safeguards are implemented
in order to protect the information collected through CareerTrac. Regular access to the
information is limited to NIH employees, contractor employees, or principal investigators and
their administrators who are conducting, reviewing or contributing to the system. Other access
will be granted only on a case-by-case basis, consistent with the restrictions, as authorized by the
system manager or designated responsible official.
Administrative Control: CareerTrac has a system security plan and backup plan. The files are
backed-up regularly and maintained in a secure location.
Technical Control: ES Career Trac is securely hosted behind the NIEHS/NIH firewall.
Passwords are encrypted and changed regularly. PIs and their administrators can only view
records from trainees supported by their grants. NIEHS maintains appropriate physical,
electronic, and procedural safeguards to ensure the security, integrity, and privacy of trainee's
information.
Physical access controls are in place for CareerTrac. Records are stored in locked containers in
areas which are not accessible to unauthorized users, and in facilities which are locked and
guarded. Sensitive records are not left exposed to unauthorized persons at any time.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS CRU Clinical
Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH NIEHS CRU Clinical Management
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kimberly Burnett-Hoke
10. Provide an overview of the system: The NIEHS Clinical Management System (eSphere -
software name) is an Oracle based database and work flow mapping system that will serve as the
main patient record, scheduling, and data management tool for the new CRU. The system will
hold patient records and medical history as approved by the NIEHS IRB, physician educational
and credentialing/privileging data, calendar scheduling, and some basic statistical analysis tools.
The system is needed because the NIEHS CRU is a new out patient based clinical reserach clinic
that will open and begin seeing patients in January of 2009.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The purpose is to track, monitor, and evaluate NIH clinical, basic, and population-based research
activities and protocols. The system may share or disclose infomration to NIH researchers,
agency contractors, consultants, etc. who have been engaged by the agency to perform reserach
related activities. Other discolusres may inlcude Congress, the Department of Health and Human
Services, the Department of Justice, and the Public Health Service. Disclosures and sharing of
information will only be for and will be in compliance of SORN 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information is used to
document, track, monitor, analyze, and evaluate NIH clinical, basic, and population-based
reserach activities and protocols. The exact data collected for each protocol and from each
individual will differ based on final approval of the NIEHS IRB but could include name, date of
birth, SSN, mailing address, phone numbers, previous medical records and medical history (as
well as newly generated medical notes from new procedures), email addresses, educational
levels, military service and deployment locations, foreign activities, height, weight, gender, lab
values, and other yet to be determined data.
Submission of all data is voluntary, but is a required condition to participate in the research
protocol/activity. Failure to provide any or all required data may exclude the particpant from
reserach activity eligibility.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All IIF that is being collected is clearly communicated
and listed on the consent forms that are required to be read and signed by all reserach
protocol/activity participants. These forms clearly let the participant know what is being
collected from them, for what purpose, and who al will see it. It also asks permission to re-
contact the individuals in the future if changes are needed. If participants elect not o be re-
contatced any changes will result in that person's IIF and dat being destroyed. If re-contact is
approved on the original consent forms, any changes will result in re-contact at which time new
consent forms will be presented and signed outlining any changes. All consent forms (and all
research protocol/activity forms and IIF data) must be reviewed, approved, and cleared by the
NIEHS IRB prior to any data being collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is password protected according
to NIH policy. The system is housed in the NIEHS facility with tightly controlled access. Please
refer to the NIEHS General Support System Certification and Accredidation Package for more
details.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS DERT Extramural
Grantee Data Collection (DEGDC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0657
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS DERT Extramural Grantee
Data Collection (DEGDC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kristi Pettibone
10. Provide an overview of the system: We are seeking clearance from the Office of
Management and Budget to collect data on grantee outcomes and impacts that are not reported in
their progress reports. We are also asking to collect information on their satisfaction with the
program management process. We will collect the information using a survey that will be
available as a paper-based or a web-based survey. The information collected will be stored in an
electronic database. This electronic database is the system. We will use a unique identifier for
each respondent rather than a name.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Outcome information to
be collected includes measures of agency-funded research resulting in dissemination of findings,
investigator career development, grant-funded knowledge and products, commercial products
and drugs, laws, regulations and standards, guidelines and recommendations, information on
patents and new drug applications and community outreach and public awareness relevant to
extramural research funding and emerging areas of research. Satisfaction information to be
collected includes measures of satisfaction with the type of funding or program management
mechanism used, challenges and benefits with the program support received, and gaps in the
research.
(2) Information gained from this primary data collection will be used in conjunction with data
from grantee progress reports and presentations at grantee meetings to inform internal programs
and new funding initiatives. The information will be used to inform programmatic improvements
within the National Institute of Environmental Health Science’s Division of Extramural Research
and Training.
(3) The data collected does not include any PII
(4) The data collected does not include any PII so it is neither voluntary nor mandatory.
Completion of the survey is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII will be collected in this survey.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No PII will be collected on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Drugmatrix
Database and Analysis Tool (DDAT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS Drugmatric Database and
Analysis Tool (DDAT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Scott Auerbach
10. Provide an overview of the system: The Drugmatrix database and analysis tool is an
NIEHS-owned toxicogenomic resource that allows for analysis of gene expression data from
rats. This resource is of interest to those that work in the field of toxicology and environmental
disease. The core component of Drugmatrix is a collection of gene expression studies derived
from tissues/organs of rats exposed to a variety of drugs and well-documented toxicants. The
interface allows users to analyze existing Drugmatrix data or to upload their own data for
comparison and analysis using a variety of tools.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The toxicology
information collected will be from rats only., (2) NIEHS will use the information for toxicity
studies., (3) The information does not contain PII., and (4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Employee
Database Internet Edition
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NIEHS Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lisa Rogers
10. Provide an overview of the system: EDie is an intranet-based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The type of information collected constitutes PII and includes, but is not limited to the following
data elements: name, home address, home phone number, social security number and date of
birth. The PII collected is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS,
nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is
used is relayed to employees via official notices from the NIH Office of Human Resources
(OHR). Individuals are notified of the collection and use of the data as part of the hiring process.
This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII stored in EDie is accessed by a very
limited number of administrative staff with a “need-to-know” status. EDie is password protected
and sensitive data is encrypted. The system is located at NIEHS, Bldg. 104, Data Center,
Research Triangle Park, NC, behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS GuLF Worker
Study System (GWSS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: OMB Control Number: 0925-0626; ICR
Reference Number: 201012-0925-004
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS GuLF Worker Study System
(GWSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Johndrow
10. Provide an overview of the system: The GuLF Worker Study System (GWSS) is a minor
application whose purpose is to support the GuLF STUDY’s subject recruitment and data
collection efforts. This system will collect data pertaining to participant clean-up-related tasks,
demographic and socioeconomic factors, occupational and health histories, psychosocial factors,
and physical and mental health. A total of approximately 55,000 persons are expected to be
enrolled into the cohort. The GWSS is a secure IT system which consists of commercially
available research study software from DatStat (http://www.datstat.com), Microsoft SQL Server
2008 databases, and Avaya Dialer telephone software running on Windows 2008 Rel. 2. The
DatStat product, Illume, is the tool used to design, build, test, and manage questionnaires
(surveys). Illume is also the tool used for importing and exporting data and managing the data.
The DatStat product, Discovery, manages the workflow of the trained personnel who administers
computer-assisted telephone interviews (CATI) and computer-assisted personal interviews
(CAPI).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collection of this
information is authorized under 5 U.S.C. 552a. The primary use of this information is for use in a
research study entitled GuLF STUDY: GuLF Long-Term Follow Up Study, sponsored by the
National Institute of Environmental Health Sciences (NIEHS). The mission of NIEHS is to
reduce the burden of human illness and disability by understanding how environment influences
the development and progression of disease. NIEHS pursues this mission through
multidisciplinary biomedical research and through communication of research results to
regulatory agencies, clinicians, the scientific community, and the general public. The GWSS
enables this research.
PII collected as part of this study includes name, address, phone numbers, date of birth,
race/ethnicity, social security number, demographic and socioeconomic factors, and medical
information. Information is not disclosed to persons outside of the study team, as protected by a
Certificate of Confidentiality. Submission of this information is required if a participant wishes
to participate in the research study.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individuals whose PII is collected undergo an informed
consent process with a trained member of the study team. Participants are told that their
information is protected through a Certificate of Confidentiality and that it may be placed, in a
coded or de-identified format, in a database to be used by other researchers. There are no major
system changes planned for this research study database that would require participant
notification.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The GWSS adheres to SRA corporate
policies, CO-POL-27 Information Security Governance Policy and IT-POL-14 Information
Security Policy, which detail the formal policy and guidelines for the Security Assessment and
Authorization of SRA systems. These policies are reviewed annually. The GWSS is a standalone
system with no interconnections to other information systems outside of the authorization
boundary. The System Security Plan (SSP) documents an initial security control assessment and
is provided to the authorizing official (AO) as a part of the NIEHS authorization to operate
process. The SSP uses the NIST SP 800-53 security baseline for a moderate impact system to
evaluate the security controls in the GWSS in order to document the extent to which the controls
are implemented. The SSP requires substantial administrative, technical and physical controls
for access to all project data. Specifically: all project data that contains PII is restricted to project
folders, SurveyNet and the SAVVIS data center for study outcomes. As such, administrative
controls in effect include the SSP, corporate access policies that restrict access to cleared project
personnel only, backup plans that restrict the inclusion of PII for offsite storage, and the in-
process system certification and accreditation. Access to PII is physically controlled through the
use of two-factor user authentication, a dedicated Firewall and VPN architecture, database
encryption methods and forced password reset/change policies. Physical access to systems that
contain PII is controlled via required guards, personnel ID badges, cipher locks, biometrics
access-control and is subject to regular monitoring via closed circuit television. Physical access
to systems is granted to only project IT support staff and is logged. Sensitive PII adheres to the
same controls listed above except that it is restricted to only the SAVVIS datacenter which is the
system component that contains by far the most controls in terms of access and go well beyond
those that are listed here (mantraps, 24x7 monitoring, etc.)
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Hazardous Worker
Training Data Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0348
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIEHS Hazardous Worker Training
Data Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Joseph "Chip" Hughes, Jr.
10. Provide an overview of the system: System provides functionality not available via central
systems to support the mission of the hazardous worker education and training program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A, there is no IIF information in the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected
includes programmatic data from NIEHS Worker Education and Training grantees such as
progress reports and training data. The data management system provides a convenient way for
authorized users to input and access their training data including - course curricula, progress
report materials, projected and actual training data, student demographic data, and annual
reports; while providing quality control for each submission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no IIF information located in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no IIF information in the system.
(Information is stored on a secure Oracle 9i database that is password protected and is behind the
NIH and NIEHS firewalls.)
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Health and Safety
Production System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6299-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 9250105
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NIEHS Health and Safety Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Scott Merkle
10. Provide an overview of the system: Systems relating to monitoring and tracking the
NIEHS health and safety program in conjunction with the NIH mission.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No individual information is shared by this system. However, procedures in SOR #09250105
apply
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected is
needed to assure and monitor employee health and safety in the NIEHS workplace and to comply
with safety and health recordkeeping regulations. Information is obtained from other NIH
systems or from NIEHS employees in an on-site medical facility or when safety incidents occur.
Occupational health evaluations are mandatory for certain laboratory employees. The types of
PII maintained in the system include basic demographics (e.g., name, NED employee ID
number, date of birth, personal contact information, and employment status) and summary notes
on workplace injury incidents and summary results of exposure and occupational health
evaluations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is collected only from employees in
conjunction with their job responsibilities. Individuals are made aware of the program when they
are hired. the Health and Safety Office and their supervisors would inform them of changes in
requirements.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is maintained on a database
with access only by authorized users with a valid password. Facility is locked with limited key
card entry.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NCI Agricultural
Health Study (AHS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/4/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200, Clinical, Epidemiologic, and Biometric Studies of
the National Institutes of Health (NIH), HHS/NIH/OD
5. OMB Information Collection Approval Number: 0925-0406
6. Other Identifying Number(s): AHSW
7. System Name (Align with system Item name): NIH NIEHS NCI Agricultural Health Study
(AHS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Novie Beth Ragan
10. Provide an overview of the system: The Agricultural Health Study (AHS) system of
records collects clinical and epidemiological data on health volunteer persons who are part of the
Agricultural Health Study cohort, for the purpose of scientific analysis and publication of
epidemiological research. AHS is a collaborative effort involving the National Cancer Institue
(NCI), the National Institute of Environmental Health Sciences (NIEHS), and the U.S.
Environmental Protection Agency (EPA). Phase I was the initial cohort recruitment, 1993-1997.
Phase II follow-up was conducted 1999-2003. Phase III follow-up was conducted 2005-2010. In
addition to data collection involving the full cohort, a series of sub-studies involving smaller
numbers of AHS study participants were conducted, measuring selected pesticide exposures,
and/or focusing in greater details on specific diseases or exposures. Phase IV of the AHS began
in September 2011, with a) the award of a new base contract at Westat, co-administered by NCI
& NIEHS, b) award of a new Phase IV follow-up effort with existing contract at SSS,
administered by NIEHS; c) a concomitant change in Sept. 2011 in the NIEHS AHS computing
facilities to ECF (Epidemiology Computing Facility) at SSS, administered by NIEHS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
AHS PII collected and maintained includes name, date of birth, social security number, mailing
address, phone number, and pesticide application certificate types. Disclosure of AHS PII:
National Death Index (NDI) - Annual match with NDI Plus files.
Internal Revenue Service (IRS) - to obtain updated address information - stored at Westat (joint
NCI/NIEHS contractor) for AHS Phase IV.
Information Management Services - IMS - separately contracted by NCI - performs data
analyses for NCI using analytic datasets. Analytic Data (including date of birth, but not including
other personal information) are shared among members of the AHS research team at NCI,
NIEHS, EPA.
<Names, addresses and phone numbers of research subjects are not stored in analytic databases,
records or files hosted at NIH, NIEHS, NCI or EPA. IIF information is not shared on research
participants, except date of birth, which is used for scientific research analysis purposes only>
Westat – separately contracted by NCI – currently holds the full AHS participant contact
database, including date of birth as well as other personal identifying information for all AHS
participants – and handles all direct interactions with North Carolina participants for NCI studies
within the AHS. NCI has a sub-contract with the University of Iowa to handle Iowa participant
contacts. However, unlike earlier contracts, Westat now retains AHS participant IIF. Once the
NIEHS AHS Phas IV study gets into the field (anticipated January 2013), NCI/Westat will share
participant identifiers with NIEHS/SSS.
Westat - separately contracted by NIEHS – performs data analyses for NIEHS. Analytic Data
(including date of birth, but not including other personal information) are shared among
members of the AHS research team at NIEHS for NIEHS AHS sub-studies.
<Names, addresses and phone numbers of research subjects are not stored in analytic databases,
records or files hosted at NIH, NIEHS, NCI or EPA. IIF information is not shared on research
participants, except date of birth, which is used for scientific research analysis purposes only>
Social and Scientific Systems - SSS – separately contracted by NIEHS – handles all direct
interactions with AHS participants in NIEHS substudies only: namely AHS Lung Health Study,
GAP Study, AHS Neurobehavioral Study, AHS Disease Validation (Autoimmune, Parkinson's
Disease PD) Studies, GENARM Study, SAFE Study, AHS Phase IV follow-up interviews and
FAME Study.
Names, addresses and phone numbers of AHS NIEHS add-on research subjects are stored in
secure and locked databases, records and / or files hosted at Social and Scientific Systems (SSS).
This system is also covered under the Privacy Act System of Records Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: AHS analytic data do not
contain direct identifiers such as name, address, or SSNs.
The NCI shares PII with NDI and the IRS when performing matches to the NDI and IRS files.
Contact information (name, address, phone number) for full cohort is stored at NCI contractor
Westat in anticipation of use in future substudies, cohort maintenance purposes (e.g., possible
mailings of study update newsletters), and matching with state and national vital statistics and
health registries.
Participation is voluntary; full and open consent is required before information is collected.
The AHS system collects a wide variety of clinical information including pesticide application
histories, medical histories, health information, exposure measurements from field instruments,
and questionnaire data.
All IIF (except date of birth) on full cohort research subjects is kept at the Westat (NCI
contractor) sites and are not available to investigators.
All IIF (except date of birth) on the sub-sets of AHS cohort research subjects who are
participants in NIEHS sub-studies ( namely AHS Lung Health Study, GAP Study, AHS
Autoimmune Study, GENARM Study, SAFE Study and FAME Study) are kept at SSS (NIEHS
contractor) sites and are not available to investigators.
PII collected and maintained on all AHS participants includes name, date of birth, social security
number, mailing address, phone number, and pesticide application certificate types.
PII collected, maintained, and updated for NIEHS sub-studies ( namely AHS Lung Health Study,
GAP Study, AHS Autoimmune Study, GENARM Study, SAFE Study and FAME Study) for
AHS participants includes name, date of birth, social security number, mailing address, phone
number, and pesticide application certificate types.
Monthly updates to AHS addresses, phone numbers and other PII collected by SSS for NIEHS
sub-studies ( namely AHS Lung Health Study, GAP Study, AHS Autoimmune Study, GENARM
Study, SAFE Study and FAME Study) are sent via encrypted transmissions to Westat (NCI
contractor) to update the full AHS cohort data on a monthly basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There have been no major changes in the system and
none are contemplated. NCI and NIEHS IRBs would review any major changes prior to
implementation and provide us with guidance on any needed notification and consent
requirements.
As part of the research protocol, all subjects are required to fill out consent documents which
describe how their information will be used. If these change, participants will be contacted and
informed.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Extensive safeguards are in place to ensure
the confidentiality of each subject is protected.
TECHNICAL CONTROLS: Each AHS subject was assigned a six-digit ID number; these IDs
are used for any references to subjects on an individual basis. Names and other indentifying
information for whole cohort are kept in separate databases maintained by Westat for NCI, and
for the NIEHS sub-studies participants, identifying information is also kept in separate databases
maintained by SSS. AHS cohort identifying data are not comingled with the analytic data. These
data files are joined only for performing linkages to the mortality and cancer incidences
databases. Contact of subjects occurs only through Westat (for NCI) or SSS (for NIEHS).
Several layers of passwords exist to ensure unauthorized access to electronically stored data is
not permitted. The system is protected by firewalls, intrusion detection systems, and passwords.
There are comprehensive system security and contingency plans in place. An Incident Response
capability is maintained.
PHYSICAL CONTROLS: At Westat (for NCI), hard copies of questionnaires that contain any
personal information are stored in locked rooms. All personnel involved with the project have
signed confidentiality agreements. Badged access is required for all server rooms, with badge
lockdown policies in line with existing NIH procedures. Physical racks are key-locked. Data
center is behing keycard access with 100% identification badge check by 24/7 security guard.
At SSS (for NIEHS), system accounts use Windows 2008 R2 Active Directory and NTFS
permissions secure the data. Server room has separate Data Watch card access. Physical
firewalls, VLANS’s and dual factor authentication further secure system data. Access forms are
used to document who has access to the various different study dat. SQL permissions and access
to data are controlled with permission forms, signatures & SQL Administrator accounts.
At Westat (for NCI), for a few weeks each year, AHS cohort participant names, social security
numbers, and other identifying information are merged with other files for submission to NDI
Plus for matching to death records and to IRS to obtain current address data. These linked files
are stored in a directory accessible only to the project's lead systems manager and one
programmer. They are also encrypted when not in use and the encryption key is known only by
the same two staff members. The files are never left in unencrypted form overnight, so that
automatic backups contain only encrypted versions. After the field stations confirm receipt of
readable files, the merged data file copies at Westat are deleted.
MANAGEMENT CONTROLS: All PIs and investigators are approved by an AHS central board
before gaining access to analytical data (including date of birth). Personal contact is not available
to NIH investigators.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NIEHS General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): n/a
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIEHS General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Grovenstein
10. Provide an overview of the system: This is the certified secure infrastructure that supports
NIEHS operations. NIEHS applications and database reside on this system. There is no specific
data collection system
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Infrastructure only.
Individual systems are addressed separately
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Infrastructure only. Individual systems are addressed
separately
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NIEHS Status of
Funds Internet Edition [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS Status of Funds Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susan Hart
10. Provide an overview of the system: SOFie is a reporting tool that allows an Institute to
manipulate and report on financial transactions and general accounting information downloaded
from the NIH Central Accounting System (CAS). It tracks budget allocations, open
commitments, obligations, invoicing and payments. Transactions are passed through other
systems and then downloaded, or linked into the shared data system called nVision Data
Warehouse, where it is then uploaded into SOFie and exported to Excel. Downloads are
processed on a daily basis, generally in the evening hours to ensure all allocation entries and
adjustments are captured in real time. The daily downloads allow administrative and
management staff to accurately report on the budgets established within the IC office, laboratory,
section or branch. Financial transaction details are charged to a Common Accounting Number
(CAN) which is part of a hierarchical accounting structure termed the Accounting Code
Structure (ACS). The ACS groups CANs into summary levels which include the appropriation
source, budget activity, allowance name, and CAN. The CAN is tied to a Project Number,
categorized by Object Class Code (OC), and summarized and itemized by individual Document
Numbers assigned for reference purposes. Additional manipulation is possible to track expenses
by month or fiscal year, by data range, and through several stages of the acquisition process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Fiscal year operational
information and general accounting data is downloaded from the NIH Central Accounting
System (CAS) into a commercial, off-the-shelf (COTS) software product purchased by the
Institute/Center (IC) and exported to Excel. The financial information is specific to the IC and is
organized by category (Ex. salary, benefit, award, appropriation, central services, etc.). It can be
sorted by organizational code, object class code, date or amount of a commitment, expenditure,
or obligation, etc. The system contains no personally identifiable information (PII) on any
individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NTP Chemical
Tracking System (Chemtrack)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS NTP Chemical Tracking
System (Chemtrack)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Beth Bowden
10. Provide an overview of the system: The National Toxicology Program Chemical Tracking
Database application supports all aspects of the NTP process at a high level. The application
collects all aspects of study administration and study milestones. The application generates
various reports for project review.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Chemtrack contains
tracking information for National Toxicology Program (NTP) committees, nominations, studies
and test articles. It is used to manage NTP studies, nominations and test articles. It only
contains information from Contracts or the Federal government. (2) The NTP uses Chemtrack to
manage its research portfolio. (3) The information does not contain PII. (4) Not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - no PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NTP Database
Search (NTP DBSearch)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS NTP Database Search (NTP
DBSearch)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Beth Bowden
10. Provide an overview of the system: The National Toxicology Program Database Search
application allows NTP researchers and public users to search for, view, and download data from
NTP studies.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The National Toxicology
Program (NTP) Database search makes available to the public detailed scientific data on NTP
studies. It only contains information from Contracts or the Federal government. (2) To make
NTP scientific data available to the general public. (3) The information contains no PII. (4) Not
applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - no PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS NTP Genetic
Toxicology (Genetox)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS NTP Genetic Toxicology
(Genetox)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Beth Bowden
10. Provide an overview of the system: The Genetic Toxicology (Genetox) applcation collects
data on Salmonella and Micronucleus assays and generates reports on these assays as well as
other Genetic Toxicology assays. The other assays are Drosophilae, Chinese Hamster Ovary,
Chromosome Aberration, and Sister Chromatid Exchange.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Genetox collects detailed
information on Micronculeus and Salmonella assays from Contract Laboratories. It reports on
these assays as well as CHO, Chromosome Aberations, Sister Chromatid Exchange, and other
Genetic Toxicology assays that were once used. It only contains information from Contracts or
the Federal Government. (2) To hold and report on detailed data on the genetic toxicity of
verious chemicals and test articles. (3) The information does not contain PII. (4) Not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A - no PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Pegasys
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/2/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): Pegasys
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Grovenstein
10. Provide an overview of the system: System identifies employees and contractors with
badges and allows authorized badge holders to access the NIEHS facility. System issues badges
to NIH & NIEHS personnel.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system is used to issue badges and is used only by staff involved with issuing badges. SOR#
09-25-0216
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information is used to
identify badge holders and issue badges that allow employees and contractors access to NIEHS
facilities. Information is copied from the NIH directory (NED) or is provided by the badge
holder. The only IIF collected in this system is a photo for the badge. Information can be
retrieved by name. The information is mandatory for employees and others who are given NIH
badges.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) If changes are made to the badge system, personnel are
notified by all-hands e-mail. Information that is not already in the NIH Enterprise Directory is
collected from individuals when they request a badge. Only individuals who are in NED are
eligible for badges. The information is used by security personnel to issue badges. It is not
shared. The photo is required for a badge. Individuals may report any changes in information to
security personnel who will change it.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is password protected according
to NIH policy. System access is limited to those who use or manage the system. The system is
housed in the NIEHS facility with tightly controlled access including guards, key cards and
badges. The NIH/NIEHS network is protected by firewall and intrusion detection systems.
Remote access requires VPN ..
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Supplement
Operations System (SOS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NIH NIEHS Supplement Operations System
(SOS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Christie Drew
10. Provide an overview of the system: The National Institute of Environmental Health
Sciences (NIEHS) Supplement Operations System (SOS) provides NIEHS Division of
Extramural Research and Training (DERT) with an automated way to process and track
administrative supplements. It is intended to replace the antiquated method of manually passing
the supplement folder from person to person. It extracts information from the Information for
Management, Planning, Analysis, and Coordination II (IMPAC II) system, which is a parent
system that provides the additional benefit of avoiding mistakes from manually entering in the
grant data. The system also uses Microsoft Windows authentication to allow login for NIH-
approved users. Program staff provide comments and justification for the supplements. The
Review Committee chair submits recommendations to the Division Director for a funding
decision. Anyone (not members of the public; only Federal employees and contractors) involved
in the process can upload the comments or additional documentation. A formal memo is
generated and electronically stamped. The Division Director signs the document off line and then
uploads the final memo to SOS. Finally, a combined file is generated for distribution to the
eGRANTS file.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system extracts the
name of the Principal Investigator, Institution name, grant number, supplement type, names of
the NIEHS DERT Program Officer and Grants Management Specialist, and title of the parent
grant from IMPAC II. The only information collected, maintained, and disseminated is input
from the program staff (federal employees ONLY). The only other information collected,
maintained, and disseminated is the program staff comments. 2) The NIEHS will use the
information as an automated way to process and track grant administrative supplements. 3)
NIEHS SOS itself does not collect any PII. However, it does pull data from IMPAC II and that
data does contain PII and that information is then made available to users of NIEHS SOS. 4)
There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) As provided in the IMPAC II PIA, no process exists to
notify or obtain consent when there is a major change to the system that effects disclosure and/or
data uses since the notice is given at the time of the original collection. Applicants are notified
data is collected when they enter it into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The administrative, physical and technical
controls for this system mirror the controls used for the IMPAC II system, which has been
assessed with its own PIA.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS ToxFX Analysis
Tool (ToxFX)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIEHS ToxFX Analysis Tool (ToxFX)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Scott Auerbach
10. Provide an overview of the system: The ToxFX analysis tool is an NIEHS-owned
toxicogenomic resource that allows for automated analysis of gene expression data. This
resource is of interest to those that work in the field of toxicology and environmental disease.
The core component of Tox FX is a collection of gene expression studies derived from
tissues/organs of rats exposed to a variety of drugs and well-documented toxicants. The data for
this resource is derived from the DrugMatrix datbase. The ToxFX interface allows users to
upload their own data for automated scoring of toxicity signatures and generates a report (PDF
format) that provides a variety of metrics on the uploaded data set including predicted toxicities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The toxicology
information collected will be from rats only., (2) NIEHS will use the information for toxicity
studies., (3) The information does not contain PII., and (4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Toxicogenomics
Initiative Database (CEBS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6204-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): CEBS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jennifer Fostel
10. Provide an overview of the system: Development of knowledge base including collection,
processing, search and display of data from microarray, proteomics and toxicological assays
conducted through a variety of intramural and extramural research partnerships. Goals include
creating a public database relating environmental stressors to biological responses, collecting
information relating environmental exposures to disease, and developing an improved paradigm
for use of computational mathematics for understanding responses to environmental stressors.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
It discloses the name and affiliation of scientists who have contributed data in order to credit
their work. SOR 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Data is from microarray,
proteomics and toxicological assays conducted through a variety of intramural and extramural
research partnerships. Data is collected in multiple research settings following scientific study
protocols. No personal information is collected about experimental subjects. Scientific
collaborators may voluntarily register and provide their names and affiliation.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All registrations are voluntary. Contributors to the
database register to be credited with their contribution. Changes to the system are announced on
the Web page. The Web site contains a privacy statement. the CEBS adminstrator can be asked
at any time to change or remove information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The name and affiliation of contributors
(provided voluntarily be depositors) are stored in a database in NIEHS and posted on the website
in order to acknowledge the depositor's contribution. We do not collect any PII about
experimental subjects.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Toxicology Data
Management System Enterprise and Laboratory Data Acquisition System
(TDMSE/LDAS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6202-00-110-249 ,009-25-01-
05-02-6205-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): n/a
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): Toxicology Data Management System
Enterprise and Laboratory Data Acquisition System (TDMSE/LDAS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jennifer Fostel
10. Provide an overview of the system: The Laboratory Data Acquisition System (LDAS)
collects in-life and pathology data from rodent studies and transmits data to the Toxicology Data
Management System Enterprise (TDMSE) database where it is stored and analyzed. Other
systems maintain and make available in relational databases suitable for analysis all the
information resulting from the conduct of multiple types of NTP studes. Also includes loading
completed study data into the NIEHS Oracle database, developing procedures for the testing labs
to electronically download study data directly and enhancing the study tracking system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII is shared between TDMSE and LDAS using secured file transfer protocol (SFTP).
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Data are collected in
multiple research laboratories following scientific study protocols. The data comes from the
numerous scientific studies conducted by the National Toxicology Program. The testing
program is described at http://ntp.niehs.nih.gov/go/about. Accounts listing user name, facility
and unique operator number are created in the TDMSE and LDAS systems as requested in order
for personnel at the contract labs to collect and/or view data stored in either system. At the time
of initial login to TDMSE, users are requrested to select security questions to allow individuals
to reset passwords. Answers to the security questions are stored in TDMSE.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) All accounts are created at the user's request. Users
provide their name and facility and are informed of their unique operator number after the
account has been set up. Once assigned, operator numbers are not changed. Users are provided
with a temporary password which they must reset the first time the system is accessed. The new
user defined password is stored in the TDMSE database. Users are given a choice of security
questions, some requiring PII and some not. Changes to the user name, facility, security
questions or answers take place at the request of the user.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Changes to user accounts can only be made
by system administrators with the exception of the security questions or answers. These changes
to these parameters are controlled by the user. User profiles are maintained through the Maintain
User function within the Administrative section of the TDMSE application. Access to this
section of the application is restricted to system administrators. User passwords and security
questions/answers are stored in the TDMSE database. The server housing the PII is located at the
NIEHS secure data center. The systems housing the PII can only be accessed with password
protected accounts which have been set up by the system administrators. Administrators also
control the level of access users are granted based on their role at the facility. Passwords are
known only to the user and must be renewed every 90 days. Once logged in to the system the
application times out after 60 minutes of non-use. Only user names are visible to others based on
facility. Only users at the same facility and with the appropriate access can see the names of
other users at the facility.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kim Minneman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS CAGT System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-25-5156-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIGMS Community for Advanced
Graduate Training (CAGT) System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lorena Geddes
10. Provide an overview of the system: An interactive web-based system to promote
collaboration between T34 and T32 PIs and between T32 PIs and T34 undergraduate minority
students seeking graduate training in NIGMS pre-doctoral biomedical programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH
Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume
67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: We do not maintain NIH
employees' information in this system.
CAGT has 3 types of system users:
1) Current students participating in T34 programs seeking information about T32 pre-doctoral
biomedical programs at various institutions.
2) T34 and T32 professors who are conducting training research programs supported via an NIH
grant within NIGMS.
3) T32 assistants of T32 PIs.
For the above users, the following IIF is collected: names, mailing addresses, phone numbers,
email addresses, institution names and affiliations, and areas of scientific training interests.
All the information collected is not voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no standard process to notify and obtain
consent from the individuals whose IIF is in the system when major changes occur to the system,
however, since contact information is updated regularly, contact in this situation could be
performed by correspondance, email, or phone.
For statistical purposes, the data is collected and permanently maintained sorted by academic
year in the NIGMS database archives. However, the student data is deleted from the system in
July of every year. New participant contact information is collected and maintained from
August throught May in the system.
The system has a privacy notice that notifies individuals of their rights regarding privacy act data
which is displayed on the website.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to certain information with different
levels of authorization in CAGT is limited to NIGMS/NIH Program Officials, and Principal
Investigators (PIs), T32 assistants and students at institutions who are currently participating in
the NIGMS T32 and T34 biomedical programs. NIGMS/NIH Program Officials use their NIH
Single Sign-On username and password to access CAGT. They oversee the training programs
and have access to the user contact information. PIs and T32 assistants can gain access to CAGT
via their active NIH eRA COMMONS account. PIs and T32 assistants have access to their
students' data. Students gain access to CAGT by registering on the website and getting approval
from their respective PI at their institution on the annual basis.
Technical Controls, currently in place, are: user identification and passwords (as described
above), and NIGMS and NIH firewalls - set to protect all the NIGMS and NIH systems.
Administrative Controls are as follows: the implementation of the NIGMS standard security
plan, process and procedure for purging files, required user training, and distribution of CAGT
system user's guide that are given to PIs to distribute to students in the T32/T34 training
programs.
Physical Access Controls include:
1) controlled physical access to the server via a key card access control list indicating
administrators allowed to access the LAN Room.
2) The database server is maintained by CIT in an access controlled location.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Alllen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Employee
Directory (GMED)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5151-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0015
7. System Name (Align with system Item name): NIGMS Employee Directory (GMED)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susy Correa-Salazar
10. Provide an overview of the system: Provides photographs and contact information for
NIGMS staff. Photographs are for internal use only.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
SOR 09-25-0216. This information is further addressed in the NIH Privacy Act Systems of
Record Notice 09-25-0216, published in the Federal Register, Volume 67, No. 187, September
26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The only IIF information
collected from the employee by this system is the digital image, for use to familiarize other staff
with new employees. Other information in the system includes work related (work number,
room) data and is accessed from the NED system. Other work related information entered
includes start and end date and organization unit. Submission/collection of the image is
voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) As part of the new staff orientation procedures, staff are
given verbal notice for their consent to display the photograph on the NIGMS intranet and
verbally advised on the use of the photograph.
Email notification would be used to notify and obtain consent from individuals when major
changes, if any, occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The digital image is stored using NTSF file
protections. The intranet site that displays the photographs is available only on the NIGMS
Intranet, and is protected by AD account and password in a secure room with restricted Card Key
access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Extramural
Support System (NESS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-5111-00
009-25-01-05-02-5111-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0008
7. System Name (Align with system Item name): NIGMS Extramural Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alexander Naneyshvili
10. Provide an overview of the system: Support extramural research activities for NIGMS that
are not supported by NIH or HHS enterprise systems. The system uses enterprise (SOR 09-25-
0036) IMPAC2 data. The system does not contain IIF data.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system downloads and
stores grant data from the IMPAC 2 database. The data are stored locally for performance
reasons, and are refreshed daily to ensure accuracy. Data includes application review status
(preaward data) and Principal Investigator name, work address and phone number. The data also
includes the assigned program official's name and work contact data, and the assigned grants
management specialist's name and work contact data. The data are used to support local
extramural research activities for NIGMS that are not supported by NIH or HHS enterprise
systems. The system uses enterprise (SOR 09-25-0036) IMPAC2 data. The system does not
download, collect, maintain, or disseminate any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The data is stored using NTSF file
protections. The intranet site on which system is hosted is available only on the NIGMS
Intranet, and is protected by AD account and password in a secure room with restricted Card Key
access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Grantee Email
System (GEMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5153-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0005
7. System Name (Align with system Item name): Grantee Email System (GEMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lorena Geddes
10. Provide an overview of the system: The system is used to generate email messages
regarding NIGMS Extramural program information to targeted groups of NIGMS grantees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system allows users to
upload Comma Separated Values (CSV) format files containing email addresses, and storing it
locally on a temporary basis to improve performance. The system does not collect, manipulate,
manage, or disseminate this data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is no IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Integrated
Software and Equipment Tracking System (ISETS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5146-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0016
7. System Name (Align with system Item name): Integrated Software and Equipment
Tracking System (ISETS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lorena Geddes
10. Provide an overview of the system: IT support system that allows detailed tracking of
reservations and returns of portable accountable equipment such as laptops and PDAs. Phase II
of system provides ability to track software purchases and licensing.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The systems collects
equipment information and tracks loaned equipment and software for NIGMS. An internal id is
used to link the equipment to the name of the requestor, as provided by the NED system. The
ISETS system does not contain any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Internet
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0007
7. System Name (Align with system Item name): NIGMS Internet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ann Dieffenbach
10. Provide an overview of the system: The NIGMS Internet is a website that provides
information about the mission and programs of the NIGMS.
The NIGMS Internet is a web based application hosted by NIH CIT and it serves as main
institute tool/source for the public outreach. The contents are manually entered by the NIGMS
OCPL and IRMB staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIGMS Internet is a
website that provides information about the mission and programs of the NIGMS. The system
does not contain any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is a Disclaimer posted on the Internet of how the
data collected with be utilized.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The Internet doesn't store or maintain it. It
only collects it and passes data through to a secured internal database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Internet Employee
Directory (NIED)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5152-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0026
7. System Name (Align with system Item name): NIGMS Internet Employee Directory
(NIED)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susy Correa-Salazar
10. Provide an overview of the system: The Staff Contacts page facilitates the public’s ability
to locate and contact members of NIGMS. The system provides the ability to search NIGMS
staff contact information based on First Name, Last Name or Division/Branch. Partial searches
are supported for any of the possible search terms.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH
Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume
67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The data disseminated by
the system consists of following elements: NIGMS employees first name, last name, position,
work phone, work room number and the NIGMS organizational component. The system does
not contain any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Intranet
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5144-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): NIGMS-0018
7. System Name (Align with system Item name): NIGMS SharePoint Internal
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susy Correa-Salazar
10. Provide an overview of the system: The NIGMS Intanet is a website that provides
information about the mission and programs of the NIGMS to internal NIGMS staff and
contractors.
The NIGMS Intranet is a web based application hosted by NIGMS and it serves as main institute
tool/source for the in-house outreach. The contents are manually entered by the varous content
contrubutors that have been designated by division chiefs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The data disseminated by
the system consists of following elements: NIGMS employees first name, last name, position,
work phone, work room number and the NIGMS organizational component. The system does
not contain any PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The Intranet doesn't store or maintain it. It
only collects it and passes data through to a secured internal database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS MDR
Supplements System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-09-02-5154-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0003
7. System Name (Align with system Item name): Supplements Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alexander Naneyshvili
10. Provide an overview of the system: Collect and maintain data used to generate a required
report on Research Supplements for Underrepresented Minorities and Individuals with
Disabilities
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is normally only shared in aggregate form in a report. The data collected is
made available to those outside NIH only as specified in the SOR (09-25-0036)
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected is
required for determining the eligability of the requestor for a financial supplement, it is
mandatory information and is provided by the applicant as part of the application process. The
system also contains data on educational level, gender, citizenship status, and ethnicity. The data
are used only for reporting purposes, and is only provided in aggregate form without identifying
information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No information is collected from individuals, so there is
no method to notify individuals or obtain consent. There is no process to notify or obtain
consent from individuals in the event of a major system change.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Regular access to information is limited to
NIGMS staff that are collecting the information or generating the report. Contractor employees
may have access on an as-needed basis for system administration and maintenance. Other access
is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy
Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the
system manager.
Access is controlled by individualized Oracle accounts, providing role based access to the
database. NIH AD accounts provide access to the client side application via server ACLs,
authenticating and authorizing the appropriate staff to the server housing the client side
application.
The Oracle database is protected within a CIT locked lan room facility while the NIGMS server
housing the client side application is located within a key card controlled access Lan Room at the
NIGMS location.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Meeting
Registration System (MREGS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5143-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0017
7. System Name (Align with system Item name): NIH NIGMS Meeting Registration System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anjum Dahya
10. Provide an overview of the system: Provides support for various extramural and scientific
meetings, including meeting information dissemination and registration.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH
Privacy Act Systems of Record Notice 09-25-0106, published in the Federal Register, Volume
67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The systems collects the
registrant's name, title, address and e-mail. The meeting registrant can provide either work or
home contact information, but normally the information collected is work related. The purpose
is for registering attendees for meetings. All the information collected is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This data is temporary maintained only during the
meeting period and shortly thereafter for sending out post meeting materials. Major systems
changes do not occur during data collection (registration) period.
The system has a privacy notice that notifies individuals of their rights regarding privacy act
data.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to registration data is limited to the
meeting sponsor and assistants, and to administrative staff. Meeting registrants may indicate if
their information may be displayed on the website for collaboration and networking. Contractor
employees may have access on an as-needed basis for system administration and maintenance,
and data may be provided to contractors who are facilitating the meeting for developing name
tags, determining rooms requirements, etc. Other access is granted only on a case-by-case basis,
consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by
the Freedom of Information Act), as authorized by the system manager.
Technical Access control include:
- controlled physical access to the server via a key card access control list indicating
administrators allowed to access the Lan Room. The database server is maintained by CIT in an
access controlled location.
- Meeting sponsors, assistants and developers have role based access to the Oracle backend
database via individualized Oracle accounts.
-Meeting sponsors and assistants access administrative meeting functions via a web interface
located on the NIGMS Intranet rather than via a public web server. The Intranet requires
authentication via NIH AD accounts and NIH Enterprise Single Sign On.
- Server admins control access to the server via ACLs and NIH AD accounts.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS NIGMS General
Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009 25 0200 01 3109 00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIGMS GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ivan N. Waldman
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS OCPL Image
Gallery (OCPLIG)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5157-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0024
7. System Name (Align with system Item name): OCPL Image Gallery (OCPLIG)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susy Correa-Salazar
10. Provide an overview of the system: OCPLIG is a repository of NIGMS still image and
video media that can be accessed by the public for media relations and educational resources.
The OCPLIG supports storing, locating and retrieving of visual media by the public.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The systems collects
NIGMS still images and video information and consists of the following elements: description
type, source, date, size and format. The OCPLIG system does not contain any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS OCPL
Publications Database (OPDB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5158-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0004
7. System Name (Align with system Item name): OCPL Publications Database (OPDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anjum Dahya
10. Provide an overview of the system: Collect and maintain addresses of people who have
requested receipt of NIGMS educational materials and publications. NIGMS and its contractors
will use the data to generate mailing labels.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIGMS Internet
website provides a listing of publications and electronic mailing lists that are available free of
charge. Persons wishing to obtain the materials or subscribe to electronic information must
provide their email address or mailing information. Data includes name and mailing address(es),
phone number, and email address. This contact information may be for work or home, depending
on the preference of the person requesting the materials. No other identifiable information is
requested, and the use of personal email and address, if used, would classify the information as
IIF. These data are used in sending the requested materials to the requestor. The information
being requested is voluntary, however, we can not respond to the request for materials without
their name and email or location address.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The website contains a privacy act statement notifying
individuals about what IIF is being collected from them and how the information will be used.
The website privacy policy describes the process for removing or correcting this information.
There is no process in place to notify individuals when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Regular access to information is limited to
NIGMS staff that are collecting the information or sending materials. Developers and/or
Contractor employees may have access on an as-needed basis for system administration and
maintenance. Other access is granted only on a case-by-case basis, consistent with the
restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of
Information Act), as authorized by the system manager.)
The database is protected within a locked facility with card key and controlled access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Pharmacology
Research Associate Tracking System (PRAT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5159-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0124
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0006
7. System Name (Align with system Item name): PRAT System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anjum Dahya
10. Provide an overview of the system: The PRAT system is a web-based system that was
developed to collect and maintain information on PRAT participants. In particular, this system
enables PRAT administrators to track alumni's career progress, and subsequently, use the
collected information to report to NIH, the GAO and Congress.NIH, the GAO and Congress.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The data collected is made available to those outside the NIH only described in the SOR (09-25-
0124). This information is further addressed in the NIH Privacy Act Systems of Record Notice
09-25-0124, published in the Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: IIF data includes name and
addresses for identification purposes, and is entered into the database while the PRAT fellow is
an employee of NIGMS. Other data include contact information such as phone number if work
contact information is not available. These data are used in maintaining contact with the former
fellows for collecting yearly status on progress after the program. Awards, degrees, and other
education and employment information are used in aggregate for determining summary
outcomes for congressional justification and reporting.
The PRAT program regularly requests the most recent CV’s from all former fellows. Standard
information from these (title, organization, work address etc) is used to update the PRAT
database. Submission of these CV’s is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no standard process notify and obtain consent
from the individuals whose IIF is in the system when major changes occur to the system,
however, since contact information is updated regularly, contact in this situation could be
performed by correspondance, email, or phone.
Initial entry of IIF (name, address, phone numbers) is required by the program and is not
voluntary. When former PRAT fellows are contacted and asked to submit their CV's, they are
told that submission is voluntary. No IIF that is outside of the public domain is requested after
the initial, mandatory entry.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Regular access to information is limited to
NIGMS staff who are collecting the information or sending materials. Developers and/or
Contractor employees may have access on an as-needed basis for system administration and
maintenance. Other access is granted only on a case-by-case basis, consistent with the
restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of
Information Act), as authorized by the system manager.
The database is protected within a locked facility with key card controlled access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS SCORE
Institution/Investigator Database (SCORE-ID)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-5161-00
009-25-01-05-02-5161-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): SCORE Institution/Investigator Database
(SCORE-ID)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Susy Correa-Salazar
10. Provide an overview of the system: SCORE is a developmental program for principal
investigators (PIs) at minority serving Institutions. The goal of the program is to have individuals
supported by the developmental programs transition out of the program and into regular research
grants. The SCORE-ID system will support the SCORE Program Directors with the information-
handling needs not currently supported by other enterprise systems, such as automated system
for retrieval and presentation of IMPAC II, NSF, and PubMed data on SCORE-participating
Institutions, giving program users the ability to track PI and Institutional progress towards the
SCORE program goals.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH
Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume
67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system downloads and
stores grant data from the IMPAC II database. The data are stored locally for performance
reasons, and are refreshed daily to ensure accuracy. Data includes application review status
(preaward data) and Principal Investigator name, work address and phone number. . The data
are used to support local extramural research activities for NIGMS that are not supported by NIH
or HHS enterprise systems. The system uses NIH enterprise IMPACII data.
(SOR 09-25-0036)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) For statistical purposes, the data is collected and
permanently maintained sorted by academic year in the NIGMS database archives.
The system has a privacy notice that notifies individuals of their rights regarding privacy act data
which is displayed on the website.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NIGMS/NIH Program Officials use their
NIH Single Sign-On username and password to access SCORE-ID.
Technical Controls, currently in place, are: user identification and passwords (as described
above), and NIGMS and NIH firewalls - set to protect all the NIGMS and NIH systems.
Administrative Controls are as follows: the implementation of the NIGMS standard security
plan, process and procedure for purging files, required user training, and distribution of SCORE-
ID system user's guide that are provided to the program officials.
Physical Access Controls include:
1) controlled physical access to the server via a key card access control list indicating
administrators allowed to access the LAN Room.
2) The database server is maintained by CIT in an access controlled location.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS SOFIE
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0022
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFIE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gene Hernandez
10. Provide an overview of the system: The SOFie application is a reporting tool that allows
budget offices to track expenditures in appropriated funds in a fiscal year. The application
downloads information from the NIH Data Warehouse.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system does not collect
Privacy Act Information. The system provides access to accounting data from the NIH Data
Warehouse and does not contain any IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimbrely Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS System for
Application Management (SAM)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-5162-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NIGMS-0017
7. System Name (Align with system Item name): System for Application Management (SAM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anjum Dahya
10. Provide an overview of the system: The System for Application Management (SAM)
isupports the first stage of scientific peer review for extramural grant programs. The initial
prototype was designed to support the NIH Director’s Pioneer and New Innovator Award
programs. SAM incorporates a database of potential reviewers and provides tools for
maintaining the reviewer database; compiling, inviting, and managing panels of outside
reviewers; importing and analyzing data on submitted applications; and producing conflict-free
mappings of applications to reviewers based on program specified rules.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is shared with the NIGMS NDPA or NIA administrator who inputs and updates
data, NIGMS IRMB Contract staff for system maintenance and NIGMS scientific staff working
on the NDPA who has read access.
The information is shared with the NIGMS NDPA or NIA administrator who inputs and updates
data, NIGMS IRMB Contract staff for system maintenance and NIGMS scientific staff working
on the NDPA who has read access.
The information is shared with NIGMS NDPA or NIA adminstrator who inputs and updates
data, NIGMS IRMB Contract staff for system maintenance and NIGMS scientific staff working
on the NDPA who has read access.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information collected does
contain the IIF data, such as:
The reviewer name, institution information (e.g. instiution name, address, phone and email),
gender and minority indicator flag, as well as their field of scientific expertise is collected in
order to match an outside expert with an NDPA or NIA application to reivew that is within their
scientific area for funding consideration.
The personal information requested is mandatory and could be viewed as a prerequisite to
participation in the review process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information is shared with the NIGMS NDPA or
NIA administrator who inputs and updates data, NIGMS IRMB Contract staff for system
maintenance and NIGMS scientific staff working on the NDPA who has read access.
In support of the NIH Director's Pioneer Award (NDPA) and the NIH Director's New Innovator
Award (NIA); SAM system contains the contact information and the scientific expertise of
scientist that volunteer to review the NDPA grant applications for NIH funding.
These scientists are usually NIH grantees that have an eRA Commons account. This information
and all relevant communications and consents are obtained electonically as well.
Disclosure may be made to a private contractor or Federal agency for the purpose of collating,
analyzing, aggregating or otherwise refining records in this system.
The contractor or Federal agency will be required to maintain Privacy Act safeguards with
respect to these records.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Regular access to information is limited to
NIGMS staff who are collecting the information or sending materials. Developers and/or
Contractor employees may have access on an as-needed basis for system administration and
maintenance. Other access is granted only on a case-by-case basis, consistent with the
restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of
Information Act), as authorized by the system manager.
The database is protected within a locked facility with key card controlled access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS System for CBI
Training Grant Analysis (SCBI)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-5165-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): System for CBI Training Grant Analysis
(SCBI)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alexander Naneyshvili
10. Provide an overview of the system: SCBI provides a secure Oracle database for storage of
data pertaining to CBI training grant (T32) applications and a web-based front end for data entry
and reporting. It has capability to synchronize training grant data with IMPAC II, to allow for
entry and display of supplemental data for each grant, and provide for a detailed report of all
stored data for each grant. The system also include summary views and reports as needed. Core
application data obtained from IMPAC II includes applicant name, council, grant number,
institution, summary statement, applicant image, and scoring information. Supplementary data is
entered by NIGMS employees or its contractors and includes faculty, student and department
statistics; program requirements in several areas, program mission descriptions, and Program
Director notes. The data is used in aggregate for the production of required reports and the
database is maintained and accessed only by NIGMS employees or its contractors.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH
Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume
67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory:
The system downloads and stores grant data from the IMPAC II database.
The data are stored locally for performance reasons, and are refreshed daily to ensure accuracy.
Data includes Council, Grant #, PI Name, Institution, Status of Award, PS, SS, FAC, SLOT,
SUP...etc. The data are used to support local extramural research activities for NIGMS that are
not supported by NIH or HHS enterprise systems.
The system uses NIH enterprise IMPACII data.
(SOR 09-25-0036)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) For statistical purposes, the data is collected and
permanently maintained sorted by academic year in the NIGMS database archives.
The system has a privacy notice that notifies individuals of their rights regarding privacy act data
which is displayed on the website.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NIGMS/NIH Program Officials use their
NIH Single Sign-On username and password to access SCBI.
Technical Controls, currently in place, are: user identification and passwords (as described
above), and NIGMS and NIH firewalls - set to protect all the NIGMS and NIH systems.
Administrative Controls are as follows: the implementation of the NIGMS standard security
plan, process and procedure for purging files, required user training, and distribution of SCBI
user's guide that are provided to the program officials.
Physical Access Controls include:
1) controlled physical access to the server via a key card access control list indicating
administrators allowed to access the LAN Room.
2) The database server is maintained by CIT in an access controlled location.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Workshop
Registration Management System (WRMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIGMS Workshop Registration System
( WRMS )
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anjum Dahya
10. Provide an overview of the system: WRMS is a web based system for all internal/external
applicants who may like to attend the upcoming workshop hosted by NIGMS. It also provides
support for various scientific workshop, including workshop information dissemination and
registration.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information will be disclosed to NIGMS program managers responsible for coordinating the
workshop. IIF is disclosed or shared only as described in the SOR. This information is addressed
in the NIH Privacy Act.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The systems collects the
applicant's name, address, phone, education background, email and PostDocs advisor
information ( name, email, title, address, instituation). The contact information will be used to
invite applicants to attend the workshop and to process their expense reimbursement. The
information will be disclosed to NIGMS program managers responsible for coordinating the
workshop. All the information collected is voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This data is temporary maintained only during the
workshop period and shortly thereafter for sending out post workshop materials. Major systems
changes do not occur during data collection (application submission) period.
The system has a privacy notice that notifies individuals of their rights regarding privacy act
data.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to applicants data is limited to the
workshop sponsor and assistants, and to administrative staff. Contractor employees may have
access on an as-needed basis for system administration and maintenance, and data may be
provided to contractors who are facilitating the workshop for developing name tags, determining
rooms requirements, etc. Other access is granted only on a case-by-case basis, consistent with
the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of
Information Act), as authorized by the system manager.
Technical Access control include:
- controlled physical access to the server via a key card access control list indicating
administrators allowed to access the Lan Room. The database server is maintained by CIT in an
access controlled location.
- Workshop project manager, assistants and developers have role based access to the Oracle
backend database via individualized Oracle accounts.
-Workshop sponsors and assistants access administrative workshop functions via a web interface
located on the NIGMS Intranet rather than via a public web server. The Intranet requires
authentication via NIH AD accounts and NIH Enterprise Single Sign On.
- Server admins control access to the server via ACLs and NIH AD accounts.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kimberly Allen
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Administrative
System (NAS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-9219-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0217
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIMH Administrative System (NAS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William Hermach, NIMH ISSO
10. Provide an overview of the system: The NIMH Administrative System facilitates all the
administrative support services necessary to support the NIMH mission. The system is part of the
NIMHnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system store employee data such as name and phone numbers for NIMH Administrative
Officer (AO) use. Reference SOR#: 09-25-0217
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects
employee IIF data such as name and phone numbers for NIMH internal use in maintaining IT
accounts and emergency contact information. Submission personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The system follows the NIMH Emergency Contact
Procedure and Account Procedures for maintaining individual IIF information. Individuals are
notified via email by their respective AO when any major changes to the system or data use
occurs. NIMH staff consent to have their IIF stored in the system at the time of employment.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF will be secured on the system using
NIMH Administrative Policies, technical access controls that enforce least privilage access, and
encryption of sensitive data as well as limited physical access to the system via card key.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Clinical Brain
Disorders Branch Database (CBDB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not map to a UPI, part of the IRPnet C&A
(GSS)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Clinical Brain Disorders Branch Clinical
Database (CBDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael F. Egan, MD
10. Provide an overview of the system: This database includes clinical data on research
subjects studied at the NIH in the Clinical Brain Disorders Branch. The authorizing authority is
NIH Public Health Service Act, Section 301. The Website includes registration and information
on CBDB lecture series.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose IIF. Reference SOR#: 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: We collect IIF information
(name, phone, email, address and other research info) when subjects apply to volunteer for
research protocols approved by our Institutional Review Board. We use the information to study
brain function and the biology of mental illness. Personal information collected from subjects
who apply for entry into the research studies includes a limited amount of demographics,
psychiatric and medical history and related clinical information. Personal information collected
from subjects accepted into the research studies includes additional demographics, psychiatric
and medical history and related clinical information, as well as developmental history, and a
variety of measures of brain function. Submission of IIF is voluntary to participate in research
studies. Minimal PII (name, address, and phone number) is collected for CBDB lecture
registration.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is obtained from subjects who contact our
recruitment department and from subjects who participate in our research protocols. Subjects are
requested to provide us with this information for the purposes of evaluating their suitability for
research and for the actual research itself. Subjects who are accepted into the protocol sign an
IRB approved consent form, which describes what information is to be collected. Participants
are told that information they provide is confidential and will only be shared with members our
research team. Notification is provided to individuals upon application to participate in a
research protocol. Notification is provided via email or Web publication when major changes
occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The information is stored in a password
protected computer database, physically located in a locked research ward. The IIF will be
secured on the system using NIMH Administrative Policies, technical and encryption access
controls and limited personnel physical access to the system via card key.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Employee
Database, Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): EDIE (Employee Database, Internet Edition)
formally Visual Employment Database System (VEDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Tran
10. Provide an overview of the system: EDIE/VEDS is a windows and Web based application
primarily used to manage and track personnel information. Authority for maintenance of the
system is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose IIF. Reference SOR#: 09-90-0018. This information is
further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in
the Federal Register, Volume 59, November 9, 1994.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDIE/VEDS tracks all
information pertinent to a personnel file for the purpose of personnel management activities.
Information is collected from employees via the NED system. Uses consist of the following: a)
tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby
avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring
salary equality for various hiring mechanisms, d) providing reports requested by the NIH
Director, IC Director and other management staff, as requested), and e) maintaining lists of non
FTEs, special volunteers, contractors, and other hiring appointments. The information collected
constitutes IIF, and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is gathered from the NED system.
Changes to the system or changes in the way the information is used is relayed to employees via
official notices from the NIMH AO. Individuals are notified of the collection and use of data as
part of the hiring process and is mandatory if the potential job applicant wishes to seek
employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized users have been trained in the
Privacy Act and systems security requirements. To insure security of the data, each individual
user’s access level is managed by the Administrator to ensure minimum and necessary access.
The server is located in a locked room and is accessible only to specified system support
personnel and is also protected by a limited access log-on procedure.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Extensive Neuro-
imaging Archiving Toolkit (XNAT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not map to a UPI, part of the NIMH IRPnet
C&A (GSS)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Extensive Neuro-imaging Archiving Toolkit
at NIH (XNAT@NIH)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Thalene T. Mallus
10. Provide an overview of the system: The XNAT application supports neuro-imaging
research by archiving and processing information about subjects and neuro-imaging scans in
which they have participated. The database maintains information on approximately 1800
subjects and approximately 10,200 scans over the past 6 years.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system will store
personal (IIF) and medical information about subjects and neuro-imaging scans for the purpose
of mental health research. The submission of IIF is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Subjects of the system will be contacted electronically
and/or in person regarding any major system changes.
A protocol consent notice for each subject that has laboratory contact and data use information as
well as patient rights and concerns will be used prior to collection of IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The database system is behind the
perimeters of the NIH firewalls. Least privilege password access to the database is utilized to
restrict role based access.
Administrative and technical
- Multifactor authentication:
+ originating IP address
+ x.509 client certificates
+ password authentication
- Encrypted file system for fields containing IIF
- Ongoing host and network security processing, including
regular software and OS patching
- Appropriate logging for audits
Physical controls
- Restricted access to host computer
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Grants
Management System (GMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-9203-00-205-080
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIMH Grants Management System (GMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William Hermach
10. Provide an overview of the system: The Grants Management System overall purpose is to
support the management and administration of NIMH’s grants. The system is part of the
NIMHnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares and discloses IIF with the NIMH support and Program staff to send
information and correspond with the contacts. Reference SOR number: 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIMH collects and
maintains researcher names, mailing addresses, phone numbers, professional qualifications and
areas of expertise for NIMH grants management purposes. The information is voluntarily
submitted.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIMH grants management procedures involve
notification and consent to submit IIF to the system during the grant application process.
Individuals whose IIF is in the system are notified when major changes occur by email.
Individuals are notified and consent to provide IIF collected by the system in order to provide
contact information when appling for NIMH grants.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF will be secured on the system using
NIMH Administrative Policies, technical and encryption access controls and limited personnel
physical access to the system via card key.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Human Subject
Research Database (MAP)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not map to a UPI, part of the NIMH IRPnet
C&A (GSS)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): MAP Human Subject Research Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Daniel Pine, 15K North Dr.
Bethesda, MD 20892
10. Provide an overview of the system: The MAP system collects and centralizes research data
for human subjects enrolled in studies conducted by MAP. IIF is stored in order to adequately
distinguish subjects, and contact subjects, if necessary. Demographic data and results from
psychological testing are stored and used for research purposes. Scientific data which is large in
size (such as MRI scans, EEG scans, some genetics results) is not likely to be stored, although
fields describing their location are sometimes used. The system is part of the IRPnet GSS.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: IIF is collected with the
main purpose of recording human subject, classification data for medical research. Certain IIF
such as date of birth may be used for scientific purposes (e.g., correlating an observation with
age), but never in a manner that could breach confidentiality. The submission of IIF is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Subjects of the system will be contacted electronically
and/or in person regarding any major system changes.
A protocol consent notice for each subject that has laboratory contact and data use information as
well as patient rights and concerns will be used prior to collection of IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The database system is behind the
perimeters of the NIH firewalls. Least privilege password access to the database is utilized to
restrict role based access.
Administrative and technical
- Multifactor authentication:
+ originating IP address
+ x.509 client certificates
+ password authentication
- Encrypted file system for fields containing IIF
- Ongoing host and network security processing, including
regular software and OS patching
- Appropriate logging for audits
Physical controls
- Restricted access to host computer
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH InfoCenter
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-03-02-9218-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106; 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIMH Information Center
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christine Kaucher
10. Provide an overview of the system: The NIMH Information Center provides services
needed to handle information inquiries with appropriate responses and information dissemination
regarding Mental Health research and related NIMH data. The NIMH Information Center
provides the necessary services, systems, and qualified personnel to develop and implement such
a program, including the information technology systems necessary to screen, track, monitor, and
respond appropriately to inquiries received by the NIMH. The NIMH Infocenter ensures that
vitally needed and appropriate information on the diagnosis, prevention, treatment, and
underlying causes of mental disorders is disseminated in a cost-effective manner, to members of
the public, mental health and health care professionals. The system is part of the NIMHnet GSS.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is shared with another NIMH contractor, DCARC, that warehouses and ships printed
information. The requested information and shipping information are used to distribute the data.
The requested medical research information and shipping information fall under two different
SOR numbers.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIMH Information
Center collects the first name, last name, degree, title, organization, address, phone number, fax
number, and email of persons requesting NIMH publicly available information. The purpose is to
provide complete inquiries response and information dissemination of NIMH, Mental Health
research publications and other NIMH materials and Mental Health related information used to
respond to public and professional inquiries. Congress mandates the NIMH to provide Mental
Health information dissemination to reduce the burden of mental illness and behavioral disorders
through research on mind, brain, and behavior. IIF submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Consent from individuals is obtained via continue,
submit and confirm actions required to enter the IIF. The IIF is not and will not be used or shared
other than to disseminate the requested NIMH information to the individual or as required by
law. Major changes to the system are inconsequential to the collected IIF since the turn-around
time to distribute the requested information is immediate or within a couple of days.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The information is housed on a Windows
Sequel Server in a physically secured data center with monitored, key-card access. The database
system is behind the perimeters of the NIH firewalls. Least-privilege and role-based access to
the database is utilized to restrict unnecessary IIF access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Internet and
Intranet Web Sites
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-9218-00-305-108
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIMH Websites
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: William Hermach
10. Provide an overview of the system: To disseminate Institute information to the public in
accordance with Public Law 102-321. The system is part of the NIMHnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares and discloses IIF with the NIMH staff and research partners in support of the
NIMH mission. Reference SOR #: 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIMH Websites maintain
and disseminate information about mental health disorders, news, research and funding
opportunities as well as institue information. In addition NIMH Websites provide a portal to
access NIMH Web based applications for grants management, research and administrative
functions. The NIMH collects and maintains researcher names, mailing addresses, phone
numbers, professional qualifications and areas of expertise for NIMH grants management
purposes. The information is submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIMH procedures involve notification and consent
to submit IIF to the system during the grant application and administrative processes. Potential
grantees must consent to provide IIF to the system in order to apply for NIMH grants. NIMH
consent to have IIF stored in the system as a condition of employment during the hiring process.
NIMH Web communications staff notify individuals when major system changes or data use
changes occur.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF will be secured on the system using
NIMH Administrative Policies, technical and encryption access controls and limited personnel
physical access to the system via card key.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Laboratory of
Brain and Cognition Database (LBC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not map to a UPI, part of the NIMH IRPnet
C&A (GSS)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Laboratory of Brain and Cognition Database
(LBC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Thalene T. Mallus
10. Provide an overview of the system: A central repository of subjects and associated contact,
demographic, and medical information necessary for LBC Researchers, Post-Docs and Research
Assistants to determine study availability, eligibility, and obtain MIS requests for LBC
cognitive/imaging research protocols. The system is part of the IRPnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose IIF. Reference SOR#: 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The database collects
names, contact information, demographics, medical, psychiatric, language, eligibility, and
availability information for subjects tested under LBC research protocols. This voluntary
information is used as a source pool of available testing subjects and the personally identifiable
information collected is used for scheduling and eligibility requirements for LBC
cognitive/imaging.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information is obtained from telephone
conversations with potential research participants. Subjects are told verbally that the information
is being collected into a central repository and will be treated as confidential and used for
research purposes only. Subjects may discontinue participation at any time. After an initial
screening, subjects are scheduled for a history and physical to determine further eligibility.
Consent to participate in the research effort is obtained at the time of the scanning appointment.
Users of the system are contacted electronically and/or in person regarding any major system
changes. Signed protocol consent form for each subject has laboratory contact information for
study and/or patient rights concerns.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The information is housed on a Filemaker
Pro Macintosh Server in a locked office space. The database system is behind the perimeters of
the NIH firewalls. Least privilege password access to the database is utilized to restrict
unnecessary access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH NIMH
Headquarters Network [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-9218-00-305-108
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIMHnet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Harris
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares and discloses PII with NIMH staff and research partners in support of the
NIMH mission. Reference SOR #: 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIMH procedures involve notification and consent
to submit PII to the system during the grant application and administrative processes. Potential
grantees must consent to provide PII to the system in order to apply for NIMH grants. NIMH
staff consent to have PII stored in the system as a condition of employment during the hiring
process. NIMH Web communications staff notifies individuals when major system changes or
data use changes occur.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII will be secured on the system using
DHHS, NIH and NIMH administrative policies, NIHnet and NIMHnet technical controls, and
encryption of sensitive data. The NIMHnet incorporates role based access controls with the
principle of least privilege access and limited personnel physical access to the data center
systems via card key.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH NIMH Intramural
Research Program Network [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-9219-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): IRPnet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Tran
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information. Information is stored on applications supported by
the GSS and listed in the specific application PIA.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII. Reference SOR#: 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The PII will be secured on the system using
DHHS, NIH and NIMH administrative policies, NIHnet and IRPnet technical controls, and
encryption of sensitive data. The IRPnet incorporates role based access controls with the
principle of least privilege access and limited personnel physical access to the data center
systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 009-25-01-01-01-3104-00
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Tran
10. Provide an overview of the system: Status of Funds Internet Edition (SOFie) facilitates
viewing and managing an organization’s accounts. The database stores the organization’s
financial transactions and allows the user to view and summarize as needed for different
reporting mechanisms. The system is part of the IRPnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: SOFie stores the IC’s
financial transactions, which are downloaded daily from the NIH Data Warehouse. The IC’s use
the information to monitor spending trends, monitor balances in the accounts, also for
specialized reporting, such as, travel reports and salary trends. No personal identifying
information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIMH specific financial information is
downloaded from the NIH data warehouse system. Suppliers of information and staff are aware
the data is collected through authorized acquisition transactions and provide consent through the
authorized acquisition process and government employment regulations. The information allows
budget offices to track expenditures in appropriate funds in a fiscal year. The application
contains a tracking mechanism to track prior year funds as well. The notice of consent is handled
electronically through the applicable acquisistion process.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Authorized users have been trained in the
Privacy Act and systems security requirements. To insure security of the data, each individual
user’s access level is managed by the Administrator to ensure minimum and necessary access.
The server is located in a locked room and is accessible only to specified system support
personnel and is also protected by a limited access log-on procedure.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Unit on Integrative
Neuroimaging Database (UINDB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Does not map to a UPI, part of the NIMH IRPnet
C&A (GSS)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Unit on Integrative Neuroimaging Database
(UINDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jonathan Shane Kippenhan
10. Provide an overview of the system: This system collects and maintains information about
subjects and neuroimaging scans they have participated in. NIH Public Health Services Act,
Sec. 301. The system is part of the IRPnet GSS.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose IIF. Reference SOR#: 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects
information on demographics, medical history, medications and neuroimaging scans, all of
which is used to facilitate neuroimaging research. Submission is voluntary. Information is
collected from subjects, who are told that the information will be kept confidential and used only
for purposes of our research projects.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Users of the system are contacted electronically and/or
in person regarding any major system changes. Signed protocol consent form for each subject
has laboratory contact information for study and/or patient rights concerns.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Data access is restricted to users with
passwords known only to the user (passwords are not stored). System security is maintained via
a combination of physical security, passwords, and firewalls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: William Hermach
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Alchemy
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Alchemy
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The primary purpose of the Alchemy system is to
support the NINDS ASP by managing the large volumes of Utah test result data and other ASP
files.
Alchemy also provides a way for authorized users to search for legacy Utah test result data
through functions for indexing, archival, query, retrieval, and viewing. The ability to perform
searches via Alchemy reduces the need to store microfilm and paper copies on NINDS premises.
This, in turn, reduces the requirement for ever-increasing storage space.
The Alchemy system supports the mission ASP, which is to encourage and facilitate the
discovery and development of therapeutics for treatment of seizure disorders. The success of
these efforts translates directly into new drugs to treat patients with these disorders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Researchers receive the letters. Data includes contact information for individual researchers IAW
SOR# 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Correspondence Letter
which includes name and business address.
Publically available journal articles which possibly contain name and email address. Submission
of the information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The letters either come from the person or are sent to
the person as a part of the process in entering test results. Consent and notification are assumed
when the individual sends or receives the letter containing the information. No other notification
is done.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Single sign-on using user name and
password, system resides behind a firewall and is in a server room with no external access. All
personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Antieileptic Drug
Discovery System II (ADDS II)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NO
7. System Name (Align with system Item name): Anti-Epileptic Drug Discovery System II
(ADDS II)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The purpose of the ADDS II system is to facilitate the
establishment of worldwide collaborative relationships among the government, academia, and
industry to search for a cure of epilepsies and to provide the necessary incentives for discovery,
characterization, and development of novel antiseizure/anticonvulsant agents.
These efforts are undertaken through multi-level testing directed toward the development of safer
and more effective therapies for treating the various seizure disorders. To aid in the process, the
Anti-Epileptic Drug Discovery System II (ADDS II) application was developed. ADDS II
provides a fully integrated system to support the preclinical drug discovery business area. Users
can access chemical compound data, order and manage tests, enter test results, and manage
inventory using predefined forms and reports.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Data is not shared. The data is used by NIH personnel only to contact researchers who submitted
the data. SOR# 09-25-0200
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collect name, business
telephone number, business email address, business address, institution/company/agency name,
public web site URL. Information is collected from researchers who submit compounds for
testing. It is used to communicate test results back to the researcher. Information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Institutions submit compounds and test results
voluntarily. Consent to collect this information is assumed upon submission. There are no other
processes in place associated with the ADDS II system to notify or obtain consent.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role base security, using user name and
password for network and Oracle, system resides behind a firewall and is in a server room with
no external access. All personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Bioinformatics
Research Information
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): EvoPrinter
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Hoang
10. Provide an overview of the system: EvoPrinter supports researchers comparing DNA
sequences to a library of known sequences. Research sequences can be submitted and
EvoPrinter determines the similarities and differences, especially with regard to evolutionary
closeness.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EvoPrinter only processes
anonymous DNA sequences. It stores no data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on
an annual basis. Also, the security controls and disaster recovery plan are documented as part of
the Certification and Accreditation process. The system is also protected by the Institute's
firewall and intrusion detection systems. The system also has several physical controls in place
to secure any data. The system is protected by guards, ID badge requirements, and key card
access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Clinical
Information Management System (CIMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Clinical Information Management System
(CIMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Hoang
10. Provide an overview of the system: CIMS supports the Clinical Research program of
NINDS. It consists of two subsystems, the Clinical Study Information System (CSIS) and the
Protocol Tracking and Management System (PTMS), that store information relevant to the
Clinical Research studies of NINDS and patients involved in those research studies.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CIMS supports the Clinical
Research program of NINDS. It consists of two subsystems, the Clinical Study Information
System (CSIS) and the Protocol Tracking and Management System (PTMS), that store
information relevant to the Clinical Research studies of NINDS and patients involved in those
research studies. Some PII information may be maintained by the CSIS subsystem, but not by
PTMS. Submission of a minimal amount of personal information is required for patients who
have volunteered to participate in the clinical studies.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Participants in clinical studies volunteer to participate
in the studies and give their written consent to provide PII and medical information. They are
notified of such study requirements when they volunteer for the studies, and they are given
information on how the study information may be used. It is not feasible to obtain further
consent for any later changes in the CIMS system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role based security, using authorized user
name and password for network access to CIMS. System resides behind a firewall and is in a
server room with no external access. All personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Daily Refresh
Workload FY XXXX NS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Daily Refresh Workload FY XXXX NS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Daily Refresh Workload FY XXXX NS is a
system that refreshes a Grant Specialist workload report on a daily basis. This report is stored on
a common drive and is viewed by Grants Management Officials and their deputies.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system generates a report that only authorized personnel can access. The report displays the
workload for each Grant Specialist.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information.
* Grant Specialist name and his/her General Schedule (GS) level.
* Grant number.
* Cluster name.
The system creates a report detailing the Grant Specialists workload and compares it with his/her
GS level. The use of the GS name along with his/her GS Level could be considered PII. The
Information contained in this system is required when the individual accepts a position as a
Grant Specialist.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process.
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Employee
Database Internet Edition
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NINDS Employee Database Internet
Edition
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The EDie application supports the efforts of NINDS
by tracking employee information. The application downloads this information from the Human
Resources Database (HRDB) weekly. Information entered into the EDie database is not uploaded
into the HRDB. Due to the sensitivity of the personnel data in this system, access to the EDie
database is limited to specific users within NINDS. Users are assigned roles that restrict what
data they may view and what functions they can perform. Access privileges are enforced
through authentication within the database.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected is
all information pertinent to a personnel file. There are many uses for this information: (a)
tracking a time-limited appointment to ensure renewals are done in a timely manner thereby
avoiding any break in service; (b) ensuring that allocated FTE ceilings are maintained; (c)
ensuring salary equality for various hiring mechanisms; (d) the ability to provide reports
requested by the NIH Director; (e) maintaining lists of non FTEs, special volunteers, contractors,
etc. Information is
mandatory at time of hire.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is collected from documents provided by
employees (CV, resumes, etc) at the time of appointment. It is provided in personnel packages
submitted through channels in order to affect a hire. This information is put into the Enterprise
Human resources and Payroll System (EHRP) and subsequently downloaded into the NIH
NINDS Employee Database Internet Edition. Individuals are notifed of the collection and use of
data as a part of the hiring process. Changes to the system or use of the information is relayed to
employees via official notices from HR and the system owner.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This information is provided to key staff by
the administrator. The system is authorized only with a person who has a proper access rights
with user name and password. The system is secured in an office with locks and the building is
secured by the security guard.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS eNotification
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106 and 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eNotification Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The eNotification Automailer is a Microsoft Access
database system that queries IMPAC II, generates a report, and sends email notifications to grant
applicants. The system searches for grant applications that recently have been given a score or
percentile. Based on business rules established by the business users, the system will email
notifications that indicate the likelihood that the applicant will receive funding. All reports are
stored on a secure network drive and a copy of the email is stored in the Microsoft Outlook
Public Folders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system sends email notifications to grant applicants on the likelihood that their grant
application will be funded.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores Principal
Investigator Name, Work Address, Email, Administrative Office Email, and Institution Name.
The information is collected by IMPAC II as a required part of the grant application and is used
to process the grant application and, if funded, to maintain the grant. eNotification Automailer
uses this information to inform the applicant about the status of his/her grant application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process. The system has several technical controls to secure the
data. A user must first provide a valid username and password to access the NINDS network.
The user must also be a system user before he/she can log onto the system. The Institute's
firewall and intrusion detection systems also protect the system. The system also has several
physical controls in place to secure the data. The system is protected by guards, ID Badge
requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Extramural
Financial Management Branch
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8601-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NINDS FinEx
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The FINeX application is a centralized, Internet-based
relational database environment that stores data and business rules (procedures) required to
maintain the Extramural grant budget. The FINeX application includes the tools necessary to
estimate, award, obligate, forecast and report on grant budgets in the Extramural program.
In its in-production state, FINeX resides on the NINDSAPPS3 server as a .Net, web-deployed
application. Its interdependencies on other resources (or dynamically-linked libraries (DLLs))
are fully compiled into the installed version of FINeX on NINDSAPPS3. NINDSAPPS3 serves
as the web application server for NINDS, where FINeX is exclusively used. The databases on
which FINeX is dependant reside on NINDS resources, SQLCLUSTER (SQL Server 2000
database server) and IRIS (Oracle 10 database server). FINeX utilizes, but is not dependent on
NIH CIT resources for supplemental data (e.g., IRDB—an Oracle database warehouse server and
DataWarehouse—an IBM mainframe finance data warehouse).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is obtained from the eRA system in the administration of research grants IAW SOR#09-25-
0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Financial Grant information.
The FINeX application is a centralized, Internet-based relational database environment that
stores data and business rules (procedures) required to maintain the Extramural grant budget.
The FINeX application includes the tools necessary to estimate, award, obligate, forecast and
report on grant budgets in the Extramural program. IIF contained in NINDS FinEx is obtained
from the eRA system and is a requrired part of the Grant submission process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is submitted as a part of the grant application
process. Information used by the NINDS FinEx is taken from the ERA grant application.
Notification and consent from the individual is assumed when the grant application is submitted.
All notification and consent is taken care of via the Grant application submission process and
eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role base security, single sign-on using user
name and password, system resides behind a firewall and is in a server room with no external
access. All personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Fellowship Mailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): Fellowship Mailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Fellowship mailer sends reminder notifications to
fellowship recipients. The system sends activation reminders to recipients who have not yet
activated their fellowships. The system sends non-activated reminders to recipients who did not
activate their fellowships by the due date. The system also sends termination reminders to
recipients about the reports they need to send to NINDS at the end of their fellowships.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system sends an email to the Principle Investigator (PI) and the PI's Administrator about the
activation status of a fellowship.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information:
- Grants Specialist Name
- Grants Specialist phone number
- Grants Specialist email
- Grants Management Official name
- Grants Management Official email
- Grant Number
- Principle Investigator name
- Principle Investigator email
- Principle Investigator's Administrator email
The system sends an email to the Principle Investigator (PI) and the PI's Administrator about the
activation status of a fellowship. Disclosure may be made to a grantee or contract institution in
connection with performance or administration under the conditions of the particular award or
contract.
Principle Investigator information is required when an individual applies for a grant.
Grants Specialist information is required when an individual accepts a position as a Grants
Specialist.
The information collected for the Principle Investigator contains PII/IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH collects the PII/IIF from the Grant
Application, and NINDS relies upon the NIH policy for notifying and obtaining consent from the
Grant Applicants and Principle Investigator. See SOR# 09-25-0036
In this system the information is used to send an email to the Principle Investigator (PI) and the
PI's Administrator about the activation status of a fellowship.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process.
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS GM Close Out
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): GM Close Out
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The GM Close Out system runs a report on a quarterly
basis and provides the close out status of grants for all Institutes and Centers (ICs).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System does not contain IIF/PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores Grant
Number and Grant Close Out Status for generating the quarterly Grant Close Out report and for
historical purposes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) System does not contain IIF/PII
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System does not contain IIF/PII
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS GMB Workload
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): GMB Workload Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The GMB Workload Automailer is a Microsoft Access
database system that queries IMPAC II, generates workload reports, and sends links to those
reports via email to the GMO. These workload reports – a total of five in all – provide a
weighted workload score for each Grant Specialist based on business rules established by the
GMO. All reports are stored on a secure network drive.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS GMO Unsigned
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): GMO Unsigned Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The GMO Unsigned Automailer is a Microsoft Access
database system that queries IMPAC II, generates a report, and sends a link to that report via
email to the GMO. The report displays all grant applications that Program Staff have completed
and that are ready for the GMO’s signature. All reports are stored on a secure network drive.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS GMS Unsigned
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): GMS Unsigned
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The GMS Unsigned system generates a report of all
grant applications that have been signed by the Program Official but not signed by the Grants
Specialist. All personnel listed on the report are sent a link to the report.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system generates a report of all grant applications that have been signed by the Program
Official but not signed by the Grants Specialist.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information:
- Grant Specialist Name.
- Program Official name.
- Grant application number.
This information contains PII when tied to the Grant Application Number. The GS and PO
names are required when accepting these positions.
The system emails a report detailing the grant applications that are awaiting the signature of the
Grant Specialist.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several controls in place to
secure the data. The NIH requires security training for all system users on an annual basis. Also,
the security controls and disaster recovery plan are documented as part of the Certification and
Accreditation process.
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS GS Reassignment
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): GS Reassignment Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The GS Reassignment Automailer is a Microsoft
Access database system that queries IMPAC II, generates a report, and sends email notifications
to Grant Specialists via email. These email notifications indicate the Grant Specialist assigned to
a grant application has been changed, and the system sends notifications to both the new and
former Grant Specialists. The email notification also provides a link to the report detailing all
reassignments. All reports are stored on a secure network drive.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Intent to Pay (ITP)
Web
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Intent 2 Pay (I2P)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: Intent to Pay application aids in the administration of
grants by providing a single definitive list of grant application to pay during a council round.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
I2P passes information to other internal systems (FINEX, iWin, Council Web Site)
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Grant Number, PI Name,
Financial information are collected, maintained, disseminated. This system is used to review
grant applications and indicate which will be paid. IIF information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is submitted as a part of the grant application
process. Information used by the NINDS FinEx is taken from the ERA grant application.
Notification and consent from the individual is assumed when the grant application is submitted.
All notification and consent is taken care of via the Grant application submission process and
eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role base security, single sign-on using user
name and password, system resides behind a firewall and is in a server room with no external
access. All personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Intranet
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8606-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NINDS Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The NINDSINTRANET server supports the “NINDS
Intranet Employee Website” located at http://intranet.ninds.nih.gov/. The server provides
advanced symmetric multiprocessing (SMP) support, clustering, and load-balancing technologies
to meet the requirements of NINDS Intranet users.
The server resides on the NINDS private network (Intranet) and, thus, the services it supports are
not accessible to the general public.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system discloses IIF to authorized NIH Staff with logon access through links to other NIH
systems such as NED IAW SOR 09-25-0106
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information is now directly
submitted through the NINDS Intranet. All information displayed on the NINDS Intranet is
collected and stored by other systems within the NIH. As far as NINDS Intranet is concerned this
IIF is voluntary although it may be required by other NIH systems.
· NINDS directory, including employee contact information
· NINDS calendar
· News and alerts
· NINDS policies
· NINDS forms
· Human resources information
· Jobs and training information
· Information about funding opportunities
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The Intranet only accesses and displays data from other
systems. Consent is assumed to have been given when the information was collected by those
systems. Notification of major changes to the system are disiminated via email to all NINDS
personnel. Consent from individuals concerning IIF that may be displayed on the Intranet is the
responsibility of the system actually collecting that information. IIF is only displayed to those
Staff who have login access to the systems containing the IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Network sign-on using user name and
password, system resides behind a firewall and is in a server room with no external access. All
personnel not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Large Grant
Mailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Large Grant Mailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Large Grant Mailer system runs twice a year and
sends emails to all NINDS grantees about the procedures for submitting a grant application in
excess of $500,000.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system sends and email to the Principle Investigator (PI) with information about submitting
grant applications over $500,000. Disclosure may be made to a grantee or contract institution in
connection with performance or administration under the conditions of the particular award or
contract.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information:
* Principle Investigator name.
* Principal Investigator email.
PII in the form of PI name and email is contained in the email.
This information is required when the PI submits a grant application.
The system sends an email to the Principle Investigator (PI) with information about submitting
grant applications over $500,000.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process for the General Support System (GSS).
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he/she can access the system. The Institute's firewall and intrusion detection systems also
protect the system.
The system also has several physical controls in place to protect the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed -circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS MS Access Nightly
Download System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): MS Access Nightly Download System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The MS Access Nightly Download System loads the
SRPD_Data.mdb database with data from the IRIS Oracle Database. This process runs on a
nightly basis.
The SPRD_Data.mdb serves as a repository of grant information for several NINDS systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No PII is shared.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects the
following information:
- Grants Specialist (GS) and Grants Management Official (GMO) name.
- Program Official (PO) and Health Science Administrator (HSA) name.
- Grant number.
- Principal Investigator (PI) name.
- Organization name.
The MS Access Nightly Download System loads the SRPD_Data.mdb database with data from
the IRIS Oracle Database. The SPRD_Data.mdb serves as a repository of grant information for
several NINDS systems used to process and maintain grants.
When used together some of this information may be considered PII.
This information is mandatory for processing and maintaining grants.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH collects the information, and NINDS relies
upon the NIH policy for notifying and obtaining consent from individuals. Information regarding
individual notification procedures is further addressed in the NIH Privacy Act Systems of Record
Notice 09-25-0036, published in the Federal register, volume 67, No. 187, September 26, 2002.
This information is collected by the eRA system when grants are applied for and updated as a
grant is awarded and maintained. Notification that this data is being collected, what is being
collected and what it is used for is explained in detail in the grant application process. As
individuals apply for positions as a GS/GMO/PO/HSA/PI this information is collected and the
purpose for collecting it is explained and consent obtained at that time either verbally or in
writing. This information is mandatory if a person accepts these positions.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process for the General Support system (GSS).
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards. ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Nightly Download
Status Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Nightly Download Status Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Nightly Download Status Automailer is a system
that queries IMPAC II, IRIS, SQLCLUSTER,and NINDS_LOCAL_APPLS to check the status
of the nightly download and prepares a text file record-count report. The report displays the
number of records downloaded from IMPAC II and displays the number of records downloaded
into each IRMB database following the nightly download. The report is sent to interested IRMB
staff.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS NINDS DIR
General Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): DIR General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Hoang
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS NINDS OD DER
General Support System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): OD/DER General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Notify Deputy
GMO of NEW PCC in IMPACII
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Notify Deputy GMO of New PCC in
IMPACII
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Notify Deputy GMO of New PCC in IMPACII
system sends an email to the deputy GMO when a new Program Class Code (PCC) is created in
IMPACII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores Program
Class Codes (PCC)
The system emails a report if a new PCC is created in IMPACII.
No PII is collected or included in this system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS
People/Organization Module (POM)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): People/Organization Module (POM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The POM provides a centralized repository of all
NINDS employees and tracks the following information:
- IRMB applications used by NINDS employees.
- Employment Status.
- User Roles.
- Cluster Assignments.
- Organization Role.
- Program Class code (PCC)
This information is used by other NINDS systems for their user authentication and authorization.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information:
- Name
- Email Address
- NT Login name
- IMPACII Person_ID
- Employment Status
- Cluster Assignment
- Organizational Role
- Program Class Codes (PCC)
This information is used by other systems for their user authentication and authorization. This
information is mandatory and is collected as a part of the Grants Management process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH collects the PII, and NINDS relies upon the
NIH policy for notifying and obtaining consent from individuals. Information regarding
individual notification procedures is further addressed in the NIH Privacy Act Systems of Record
Notice 09-25-0216, published in the Federal register, volume 67, No. 187, September 26, 2002.
This information is collected as a part of their employment in a position involving the managing
of grants. They are advised of the need to collect this information and how it will be used either
verbally or in writing at the time they accept the position.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are part of the Certification
and Accreditation process. Finally, the system maintains several user roles, and each system user
is given the least priviledge needed to perform his or her business function.
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can log onto the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system has several physical controls in place to secure the data. The system is protected by
guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Approval: Joellen Harper Austin, Executive Officer, NINDS 301-496-
4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS PO Reassignment
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): PO Reassignment Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The PO Reassignment Automailer is a Microsoft
Access database system that queries IMPAC II, generates a report, and sends email notifications
to Program Officials (POs) via email. These email notifications indicate the PO assigned to a
grant application has changed and notifies both the new and former POs. The email notifications
also provide a link to the report that details all the reassignments. All reports are stored on a
secure network drive.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS PO Unsigned
Report
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): PO Unsigned Report
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The PO Unsigned Report system creates a report of
grant applications with a To Be Paid status that have not been signed by the Program Official.
The email contains a link to the report, which is stored on a common drive.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The System stores the
following information:
* Grant Specialist (GS) name.
* Program Official (PO) name.
* Principle Investigator (PI) name.
* Grant number.
The system emails a report detailing the grant applications that are awaiting the signature of the
Program Official. This information is mandatory as a part of accepting the position of GS,PO, or
PI.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process for the General Support system (GSS).
The system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Public Access Data
Load
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Public Access Data Load
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The National Institutes of Health (NIH) Requires that
the general public have access to publications that result from NIH-funded research. To satisfy
this responsibility, scientists must submit their peer-reviewed publication to PubMed Central.
The National Institute of Neurological Disorders and Stroke (NINDS) developed the NINDS
Public Access Compliance System to help staff track compliance with the requirement. The
Public Access Data Load system runs twice a day and queries IMPACII for new Type 5 Progress
Reports. These Type 5 Progress Reports are used by the NINDS Public Access Compliance
System to help track compliance. More information about the Public Access Policy is available
at http://publicaccess.nih.gov/.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system collects Type 5
Progress Reports containing public accessable data which are then used by the NINDS Public
Access Compliance System to help ensure compliance with the NIH Public Access Policy
implements Division G, Title II, Section 218 of PL 110-161 (Consolidated Appropriations Act,
2008). . No PII is contained in these reports. Information contained in this system is not
available to the public via this system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Purchasing Online
Tracking System Shared Service Platform [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8602-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): Purchasing Online Tracking System (POTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Hoang
10. Provide an overview of the system: Consolidates workflow relating to acquisition—
purchase request, approval, ordering, and receiving—into a paperless, auditable system, and
provides a central repository for all purchase-related forms. POTS allows requesters, approvers
and purchasing agents to use one Web-based system to perform the tasks needed to submit,
review and approve purchase requests.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Purchase-related data
(requester, purchaser, vendor, purchase item descriptions). POTS allows requesters, approvers
and purchasing agents to use one Web-based system to perform the tasks needed to submit,
review and approve purchase requests. No PII data is requested or stored.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on
an annual basis. Also, the security controls and disaster recovery plan are documented as part of
the Certification and Accreditation process. Finally, the system maintains several user roles, and
each system user is given the least privilege needed to perform his or her business function. The
system has several technical controls in place to secure the data. A user must first provide a
valid username and password to access the NIH network. A user must also be an authorized
system user, with a record in the user table. The system is also protected by the Institute's
firewall and intrusion detection systems. The system also has several physical controls in place
to secure the data. The system is protected by guards, ID badge requirements, and key card
access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Receipt and
Referral System (RRS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NINDS Receipt & Referral System (RRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The RRS is an electronic reading room that allows
NINDS DER Program Directors (PDs) and Program Analysts (PAs) to perform the following
tasks:
Pre-sort Type 1 grant applications into clusters.
Indicate an interest in being either the primary Program Director assigned to the grant or the
secondary Program Director.
The system allows an administrator, normally the Referral Liaison (RL), to approve the grant
application assignments and send this information, i.e., the assigned Program Director’s program
class code (PCC), to the eRA system. The administrator also has the capability to perform
certain system utilities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
See SOR# 09-25-0036. This information is further addressed in the NIH Privacy Act Systems of
Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September
26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: IIF information in the form
of PI Name and grant application number are obtained from eRA for use in processing grant
applications. The information is mandatory for processing a grant application and is submitted
with the grant application to the eRA system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is submitted as a part of the grant application
process. Information used by RRS is taken from the ERA grant application. Notification and
consent from the individual is assumed when the grant application is submitted. All notification
and consent is taken care of via the Grant application submission process and eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Role base security, user name and
password, system resides behind a firewall and is in a server room with no external access. All
personal not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS SharePoint
Document Library
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): SharePoint Document Library
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The SharePoint Document Library is an electronic
library maintained in Microsoft Office SharePoint Server. It contains documents pertaining to all
NINDS hardware and software systems, Disaster Recovery and Contingency Planning, training,
workflows, and other NINDS/OD/IRMB administrative documents.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Home phone numbers are provided in an emergency call list for use by disaster recovery
personnel in the event of a disaster.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Employee name, home
phone number, cell phone number, and business number are collected for use in an emergency
recall list used in disaster recovery/contingency planning and execution.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) For the Emergency Call/Recall List(s), personnel are
contacted in person when information is collected or updated. They are informed at that time the
purpose for collecting this information. Consent is given verbally at that time. Also see SORNs
09-90-0018 and 09-25-0216.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Network sign-on using user name and
password. SharePoint software also provides the capability to restrict areas based on rules/roles
assigned by the data owners. System resides behind a firewall and in a locked server room with
no external access. All personnel not haveing key card access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Special Programs
in Neuroscience (SPIN)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Special Project in Neuroscience (SPIN)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: SPIN allows staff to track PI's, fellow's, trainees' and
supporters who have minority supplements. SPIN allows information on people not stored in
IMPAC II to be associated with a particular grant application. PHS Act Section 301.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
See SOR# 09-25-0036. This information is further addressed in the NIH Privacy Act Systems of
Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September
26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collected information
includes, grantee's name, race, ethnicity, education level, and gender. The information is
collected for grant application reporting purposes used only within the institute. The collected
information is the minimum amount of information that is associated with the application. The
information is used to monitor research programs, research capacity, building and training, and
health disparities among underrepresented groups (e.g. racial/ethnic, gender, etc.). This
information is voluntary within the SPIN application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected from the grant applications that an
individual submits for consideration in obtaining a grant. Consent is assumed when an individual
submits his/her grant application. Notification of major changes to the SPIN system is not made
to individuals whose IIF was obtained from their grant application submission. Notification of
changes to the use of IIF and consent to collect IIF is handled through eRA and the grant
application submission process.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: See SOR# 09-25-0036. This information is
further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the
Federal Register, Volume 67, No. 187, September 26, 2002.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Status of Funds Internet Edition (SoFIE)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Quang Hoang
10. Provide an overview of the system: Provides real-time budgeting database information for
the NINDS/DIR. It Interfaces with and gets data from the NIH financial management system.
Replaced the earlier Visual Status of Funds (VSOF) system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Internal NINDS day-to-day
budget information. Does not collect or maintain PII data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on
an annual basis. Also, the security controls and disaster recovery plan are documented as part of
the Certification and Accreditation process. The system is also protected by the Institute's
firewall and intrusion detection systems. The system also has several physical controls in place
to secure any data. The system is protected by guards, ID badge requirements, and key card
access.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Type 5 Received
Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Type 5 Received Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Type 5 Received Automailer is a Microsoft
Access database system that queries IMPAC II, searches for specific grant applications and sends
the search results via email to the system user. A copy of the email is stored in the Microsoft
Outlook Public folders
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not contain IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system does not
contain IIF
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This system does not contain IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: This system does not contain IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Joellen Harper Austin, Executive Officer, NINDS 301-496-4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Workload FY
XXXX NS Automailer
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/16/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8610-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Workload FY XXXX NS Automailer
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna Stephenson
10. Provide an overview of the system: The Workload FY XXXX NS automailer is a system
that emails the Daily Refresh Workload FY XXXX NS report to the Grants Management Branch
Chief on a weekly basis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system emails a copy of the Daily Refresh Workload FYXXXX NS report to the Grants
Management Branch (GMB) Chief. The GMB Chief reviews the workload for each Grants
Specialist.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system stores the
following information:
- The Grant Specialist name and his or her General Schedule (GS) level.
- Grant application number.
- Cluster name.
The email may contain PII. Submission of the information is required when an individual accepts
a position as a Grants specialist.
The system emails a report detailing the Grant Specialist's workload and compares it with his or
her GS level to the GMB Chief for review. The GMB Chief reviews the GS's workload to spot
potential issues which need to be addressed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The data is collected by the IMPAC II system and
NINDS relies on the IMPAC II system to obtain permission via the grant application process and
to notify individuals when major changes are made affecting the use of the data, how the data
will be used and why it is being collected. The IMPAC II system uses the data to process grant
applications and maintain grants. NINDS uses this automailer as a portion of the grant
application process to inform the applicant of the status of their application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system has several administrative
controls in place to secure the data. The NIH requires security training for all system users on an
annual basis. Also, the security controls and disaster recovery plan are documented as part of the
Certification and Accreditation process for the General Support System (GSS).
The system has several Technical controls in place to secure the data. A user must first provide a
valid username and password to access the NINDS network. The user must also be a system user
before he or she can access the system. The Institute's firewall and intrusion detection systems
also protect the system.
The system also has several physical controls in place to secure the data. The system is protected
by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Approval: Joellen Harper Austin, Executive Officer, NINDS 301-496-
4697
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR Developing Nurse
Scientists Online Course
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/15/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Developing Nurse Scientists Online Course
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Natalie A. Rasmussen
10. Provide an overview of the system: The NINR web based Developing Nurse Scientists
course provides the general profile of NINR and its guidelines for grant submission. The course
also discusses the practical skills necessary for developing a successful research program and as
well as the key issues in research including research ethics, IRB, disseminating findings, and
recruiting research participants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
First name, last name and email addresses of course registrants are collected for credentialing
and provided to the Maryland State Nurse Association . These fields are mandatory.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Names and email addresses
of course registrants are collected for credentialing. The information is mandatory for
credentialing.
This system collects IIF from users. The required fields are First name, Last name and email
address. (email address is then used as username along with a newly created password. The
following fields are required for the password challenge questions used to reset or recover
password: pets names, favorite city and year graduated college.) Optional fields include City,
State, Zip, Affiliation, Discipline, Educational Level, Educational Level other, Research
Experience, Research other, and Years in Research. Users first and last name will be passed on
to the State of Maryland in order to receive Continuing Education Units (CEU). Users will be
given advance notice of this in the sites Privacy Statement. This information will passed using
secure email.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A Privacy notification statement is displayed in the
course as well as a disclaimer. System users can be notified via email of any changes dealing
with PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NCI has in place controls to safeguard and
restore data in the case of data loss or catastrophe, to protect the data from unauthorized access
or use electronically with passwords, and to prevent physical access to the data with a badging
system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Brian Albertini 301.594.6869
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR Internet Website
(Public)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NINR Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Melissa Barrett
10. Provide an overview of the system: It is the public face of NINR on the web to provide
information about NINR and the research that it supports.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: There is none to secure.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Brian Albertini 301-594-6869
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR NINR LAN GSS
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/15/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NINR LAN GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mary Murray
10. Provide an overview of the system: The NINR LAN GSS includes a number of supportive
“core services” that are provided through the NCI CBIIT GSS to the NINR user community that
provide or enhance network and information security, data storage, backup services, help desk
support, and shared application environments (e.g., enterprise database, web, application, and
storage platforms). The system is a General Support System (GSS) and does not directly collect
or store information. The system is a General Support System (GSS) and does not directly
collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing under the GSS may collect and store information. Therefore,
individual PIAs have been prepared and submitted for the applications/systems residing on this
GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Brian Albertini
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR Pediatric Palliative
Care Focus Group Screener [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: Being obtained
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NINR Pediatric Palliative Care Focus
Group Screener
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Adrienne Burroughs
10. Provide an overview of the system: This system will screen potential individuals to ensure
that they fit the eligibility criteria for participation in an online focus group discussion. The focus
group discussions will inform NINR's new pediatric palliative care (PC) communications
campaign by gathering feedback on campaign branding and materials. The purpose of the
campaign is to increase the use of palliative care for children living with serious illness or life-
limiting conditions.
The screener will be administered to health care providers (HCP), including physicians, nurses,
and social workers. Proprietary survey software that is white-labeled for vendors will be used to
conduct the screening.
The characteristics collected by the screener include gender, years practicing medicine,
training/certification in pediatric palliative care, years in the nursing and social work fields, and
the state in which the respondent works. However, none of this information will be collected
during the actual focus groups. All focus group answers will be viewed in aggregate, not
assigned to any one respondent, therefore the information collected during the screening will not
be stored.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The National Institute
for Nursing Research (NINR) will conduct two online focus groups, essentially online
discussions, to gather opinions on communications messages and materials. The screener will be
used to determine eligibility to participate in the focus group. Demographic questions will be
asked in the screener. In terms of contact information, the focus group screener only requests an
email address.
(2) NINR/NIH will use the information in the screener to determine if the respondent is eligible
to participate in the focus group discussion.
(3) The Pediatric PC focus group screener will collect the following information: email address,
gender, years of health care experience, and state where the respondent works. Potential focus
group participants have been identified through publically available information. PII is collected,
stored and maintained in the database, but not shared.
(4) Response to the screener is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) PII data will never be shared or disclosed. If major
changes occur to the Pediatric PC focus group screener, individuals with PII information in the
system will be notified and consent will be obtained.
(2) CONSENT: Prior to beginning the focus group, participants must accept an online consent
that states that personal identity will be protected. This consent form also states that all answers
will be viewed in aggregate. Data files will be stored securely so that (i) only NIH-authorized
researchers can see them and (ii) un-authorized persons in government or non-government
positions cannot see them. After the focus group is completed, contact information will be
destroyed. Focus group answers will be collated with the responses of other participants and
analyzed. No one will be identified in project reports. Participation is voluntary.
An invitation to participate in the focus group screening will be emailed to participants. This
invitation will include an URL link to the focus group screener. If the respondent fits the
screening criteria, he or she will be prompted to read and acknowledge a series of statements and
consent to participate in the focus group before the screening process is complete. This consent
must be accepted before the participant can advance to the focus group. After reading the
consent, potential participants can "accept" and proceed to answer additional screening questions
or decline (i.e., "I do not accept").
(3) USE of INFORMATION: Those who fit the screening criteria will be sent a link to the online
focus group. After the focus group is completed, contact information will be destroyed. No one
will be identified in project reports.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Computer systems, including Web servers
configured for screener administration, and policies and procedures (physical security, personnel
rules of behavior, contingency plans, disaster recovery plans) are in compliance with DHHS and
NIH requirements.
As far as physical access, identification badges, key cards, cipher locks, and closed circuit TV
are in place to secure information. The technical controls that are used to minimize the
possibility of unauthorized access include: user identification, firewalls, passwords, encryption
and IDS. The web-based (online) site will be secure and require HTTPS, so that all data are
encrypted during transmission.
In terms of administrative controls, all servers are backed up, only authorized users have access
to the screener, the backup files are stored offsite, there are multiple servers, and there is a
system security plan in place.
PII data will be destroyed after the focus group screener is completed as described in NIH’s
Manual Chapter 1743 - Keeping and Destroying Records
(http://oma.od.nih.gov/manualchapters/management/1743/).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Brian Albertini Privacy Coordinator, NINR
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR SGI Evaluation
Survey System (SGI)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: Being obtained
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NINR SGI Evaluation Survey System
(SGI)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Amanda Greene
10. Provide an overview of the system: This survey system will collect information about the
NINR’s Summer Genetics Institute alumni’s career activities since attending the Summer
Genetics Institute. The purpose of this survey is to examine the extent to which the Summer
Genetics Institute, a summer genetics training program, is achieving its long-term goals in
research and clinical practice by increasing genetics research capability, so that changes to the
program can be made if indicated. The characteristics (i.e., information to be collected by this
survey) include alumni’s career activities including research grants, publications, patents,
copyrighted material, professional awards, education, current position type, and demographics
including sex, race/ethnicity, age range, and educational degree.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Disclosure may be made to HHS contractors for the purpose of (a) conducting Summer Genetics
Institute evaluation studies, and (b) collecting, aggregating, processing, and analyzing records
used in Summer Genetics Institute evaluation studies. All HHS contractors are required to
protect the confidentiality of such records.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The National Institute
for Nursing Research (NINR) which owns the SGI Evaluation Survey System is authorized
under Public Law 103-43. The SGI Evaluation Survey System will collect information using an
online survey (description follows). Responses to the online survey are voluntary. Although the
information contained in the SGI Evaluation Survey System only represents federal contact data,
there is the potential for personal data to be collected through the respondent's curriculum vitae.
The SGI Survey is a 36-item survey that asks SGI alumni about research grants, publications,
patents, copyrighted material, professional awards, education, type of current employment
position, and type of principal employer since attending the SGI training program and alumni’s
opinion about program usefulness.
(2) NINR/NIH will use this information to determine the extent to which the SGI, a summer
genetics training program, is achieving its long-term goals in research and clinical practice by
increasing genetics research capability, so that changes to the program can be made if indicated.
This information will help identify if program improvements are needed for the SGI.
(3) The SGI Evaluation Survey System will collect the following information: age, sex,
race/ethnicity, education. Potential survey participants have been identified through the SGI
alumni database. Survey participants will have the option of sending a modified version of their
curriculum vitae (CV). Survey instructions specify that any submitted CV should not include any
of the following: personal contact information (i.e., home address, telephone number), social
security number, date of birth, license number (e.g., RN license), or other licensing or
certification numbers. All information will analyzed and reported in aggregate form. Other than
required by law, no PII information will be shared or disclosed.
(4) Response to the survey is voluntary. Submission of a modified CV is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) Information about the survey and data disclosure is
provided to survey participants in written form along with the survey instrument. Each survey
participant is informed that the survey is voluntary and that survey data is only provided in a de-
identified aggregate manner. No changes in PII disclosure will be permitted without explicit
consent from each survey participant. If major changes occur to the SGI Evaluation Survey
System, individuals with PII information in the system will be directly notified and new consent
will be obtained.
(2) CONSENT: Prior to beginning the online survey, invited survey participants must accept an
online consent form that states that personal identity will be protected. This consent form also
states that all answers will be assigned a confidential ID number so that name and any other
personal information will not be directly linked. Data files will be stored securely so that (i) only
NIH-authorized researchers can see them and (ii) un-authorized persons in government or non-
government positions cannot see them. After the survey is completed, name and contact
information will be destroyed. Survey answers will be collated with the responses of other
participants and analyzed. No one will be identified in project reports or publications which may
be published or presented publicly. Participation is voluntary.
An email invitation to participate in the survey will be emailed to participants. This invitation
will include an URL link to the survey. When the potential survey participant opens the survey
URL, the first page is an online (electronic) consent form. This consent form must be accepted
before the participant can advance to the survey questions. After reading the consent form,
potential participants can "accept" and proceed to answer question or decline (i.e., "I do not
accept").
(3) USE of INFORMATION: After the survey is completed, name and PII information will be
destroyed. Survey answers will be collated with the responses of other participants and analyzed.
No one will be identified in project reports or publications which may be published or presented
publicly. As part of the consent form, participants are informed of the purpose of the survey.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Computer systems, including Web servers
configured for survey administration, and policies and procedures (physical security, personnel
rules of behavior, contingency plans, disaster recovery plans) are in compliance with DHHS,
NIH, and NIST 800-53 requirements and have been approved under NIH C&A procedures for
research Web survey administration, and storage and protection of individual research records.
The web-based (online) survey site will be secure and require HTTPS, so that all data are
encrypted during transmission.
All servers are backed up. All equipment used for this survey system is United States
Government Configuration Baseline (USGCB) compliant.
Only authorized users have access to the survey. The external NIH accounts are created for each
user and they have access to only their survey data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NINR Status of Funds
Internet Edition
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/15/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds - Internet Edition
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kevin Wilson
10. Provide an overview of the system: SOFie is a financial reporting/tracking system which is
accessed via the web.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: All accounting transactions
are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It
is necessary to have access to this data in order to comply with appropriations laws and
regulations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is none.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Brian Albertini 301-594-6869
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Clinical Text De-
Identification
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NLM Clinical Text De-identification
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mehmet Kayaalp, MD, PhD
10. Provide an overview of the system: Clinical text documents contain a rich set of clinical
knowledge that is invaluable for clinical research. Unfortunately, they largely remain an
untapped resource since disseminating such data as-is would jeopardize the privacy of patients
and reveal protected health information.
Computational de-identification is a means to overcome this problem. It involves processing
clinical text documents using natural language processing (NLP) tools and techniques,
recognizing personally identifiable information (e.g., names, addresses, telephone and social
security numbers) in the text, and redacting only those identifiers. In this way, patient privacy is
protected and clinical knowledge is preserved.
Without computational tools, de-identification places a heavy burden on clinicians’ shoulders,
but it is a necessary step for protecting patient privacy as mandated by both the Privacy Rule of
the Health Insurance Portability and Accountability Act (HIPAA) and the Privacy Act of 1974.
The National Library of Medicine (NLM) began testing some existing applications designed for
this purpose and finally decided on developing a new software tool that is capable of de-
identifying all types of clinical text documents with higher accuracy than other available tools on
the market. This way NLM will be able to adjust the software parameters as the nature of
electronically available clinical text changes over time.
The application software design involves a number of both deterministic and probabilistic pattern
recognition algorithms using various computational linguistic methods. It also uses a number of
large datasets for names, addresses, and organizations.
The design accepts text documents in plain text or in HL7 format. If documents are provided in
an HL7 format, the application makes use of patient related information embedded in various
HL7 segments and fields in order to attain near perfect accuracy.
The application software includes an editor for visualization and markup called the Visual
Tagging Tool (VTT). Although its original design was for tagging identifiers that contain
personally identifiable protected health information, VTT has been made publicly available to
the greater NLP community for general purpose lexical tagging and text annotation.
The preliminary results of this study suggest that computational de-identification methods may
attain a superior level of accuracy at across a large spectrum of identifiers containing personally
identifiable information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) No new information
will be collected. Existing clinical text documents provided by the Clinical Center at NIH are
used to test and ensure that the developed system works as intended. The information in the text
is not used. Clinical text documents will not be disseminated.
(2) Clinical text documents are needed to test the quality of the system that is under
development. The system will de-identify clinical text records.
(3) Clinical text documents contain PII.
(4) N/A (the data exists)
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1–2) N/A. The project is about the quality assurance
(QA) of the de-identification system under development. No research is conducted on patient
information. In other words, it is an internal NIH QA activity and considered by Office of
Human Subject Research (OHSR) “Not Human Subject Research” based on how OHRP reviews
quality improvement under the current OHRP guidance.
(3) The data is needed to test the quality of the software application that is under development.
The software application will de-identify clinical text records.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All data is stored on one server and backed
up by another server. The servers and the VLAN router are located in NLM’s computer room
where access is strictly controlled via various physical measures including biometric security
checks. The application has been developed on workstations, which are connected to the server
to access the data. The workstations reside in locked private offices in Building 38A in NIH
campus. The suits where offices are located are accessed via access card keys during off hours.
The data are stored in flat text files on encrypted disks using FIPS 140-2 compliant encryption
methods in workstations and servers, which are connected via a private virtual local area network
(VLAN) with no Internet connection. The access to the VLAN is allowed to workstations and
servers with specific MAC addresses connected to specific physical ports. In other words, if two
such workstations are swapped their physical locations (i.e., their ports), they would not be able
to access the VLAN. The workstations are accessed via SecurID. The systems are behind several
layers of firewalls. An intrusion detection system is run every month.
Accesses to the system and data are audited continuously. Every user of the system is required to
complete all security, ethics, and privacy awareness training before receiving access to the
system.
The data in its original text format as received from the clinical center is stored for back up
purposes on encrypted USB thumb drives, which are FIPS 140-2 compliant devices. These
devices are stored in a safe that is located in a locked private office.
The contractors working in this project adhere to the requirements of the privacy act and their
agreements are stated in their contracts with FAR clauses 52.204-2 and 52.239-1.
The security measures are checked and approved by the NLM ISSO.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Genome Assembly
and Annotation (GenBank)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0733-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NLM Genome Assembly and
Annotation (GenBank)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jim Ostell, NCBI; Dennis
Benson, NCBI
10. Provide an overview of the system: GenBank is a database of publicly available DNA
sequence information. GenBank is an annotated collection of nucleotide sequences from over
200,000 different organisms obtained primarily from individual laboratories as well through
batch submissions from large-scale sequencing centers. The data is exchanged with similar
databases in the UK and in Japan. The database is accessible via the web and by File Transfer
Protocol.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Data collected include
nucleotide sequences and the name of the researcher or laboratory contributing the data, his
institution, and a publicly available email address, as associated with the journal article.
Submission of data is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Lost Person Finder
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0612
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH/National Library of Medicine (NLM)
Lost Person Finder System (LPF)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael Gill
10. Provide an overview of the system: The National Library of Medicine (NLM) Lost Person
Finder (LPF) project includes Web-based components that collect data to facilitate reunification
efforts during or after a disaster event. This data is collected as part of NLM’s mission to
develop and coordinate communication technologies to improve delivery of health services.
NLM is a member of the Bethesda Hospitals’ Emergency Preparedness Partnership (BHEPP),
which was established in 2004 to improve community disaster preparedness and response among
hospitals in Bethesda, Maryland that would likely be called upon to absorb mass causalities in a
major disaster in the National Capital Region or other areas. The BHEPP hospitals include the
National Naval Medical Center (NNMC), the National Institutes of Health Clinic Center (NIH
CC), and Suburban Hospital/Johns Hopkins Medicine. With its expertise in communications,
information management, and medical informatics, NLM joined BHEPP to coordinate the R&D
program, one of which is development of a person locator tool to assist in family reunification
after a disaster.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Yes. Information is shared with, disclosed or transferred to: (1) BHEPP participating hospitals’
personnel; (2) the general public via an interactive Web-based system that allows individuals to
search for missing family members that may have been recovered (or found) post-disaster; (3)
other people locator systems endorsed by U.S. government agencies to ensure that
comprehensive data is available to users of such systems and to ensure that use of the NLM
system in no way interrupts or distracts from the operation or use of other people locator
systems.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The primary uses of the Lost
Person Finder project components are to facilitate reunification efforts during or after a disaster.
Subsequently, the NLM will use the data to evaluate the functioning and utility of the LPF
components and similar technologies and guide future enhancements to the system. Collection
of this information is authorized pursuant to sections 301, 307, 465, and 478A of the Public
Health Service Act [42 U.S.C. 241, 242l, 286, and 286d] which authorizes the HHS Secretary to
conduct and support research. The information collected, maintained and disseminated includes
personally identifiable information (or PII) and is collected on a voluntary basis. Biographical
information physical identifying characteristics will be collected, maintained, and disseminated.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) There is no process for obtaining consent from
individuals whose PII is maintained in the system when major system changes occur. (2)
Information is collected on a voluntary basis. (3) Information is posted on the LPF Web site
notifying users about how their information will be shared.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII is secured by NLM’s controlled access
computer room (Technical/Physical), Access to system must be requested in writing from NLM
program staff (Administrative).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Medical Literature
Analysis Retrieval System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0705-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NLM Medical Literature Analysis and
Retrieval System (MEDLARS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dar-Ning Kung
10. Provide an overview of the system: The Medical Literature Analysis and Retrieval System
(MEDLARS) is a multi-purpose application system developed, maintained and operated by the
National Library of Medicine (NLM) at the National Institutes of Health (NIH) and consists of
various application modules to assist the National Library of Medicine in collecting, organizing,
managing, and disseminating health related information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM NLM Data Center
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NLM Data Center [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael Simpson, OCCS
10. Provide an overview of the system: The National Library of Medicine Data Center
(NLMDC) is a secure and resilient information system facility located at Bldg. 38A/Rm.
B1W17, 8600 Rockville Pike, Bethesda, MD 20894. The NLMDC houses information systems
that carry out the NLM mission of enabling biomedical research, supporting health care and
public health, and promoting healthy behavior. The Data Center is operated 24/7/365 providing
secure physical and virtual access to authorized personnel. The NLMDC is configured with
redundant power, cooling and network connectivity. The NLMDC systems and personnel play
key roles in System Back-up, Incident Response, Critical Infrastructure Monitoring, System
Equipment Monitoring, Service Desk Support, DR/COOP processes, and Physical and
Environmental Security.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) NLM Data Center is a
general support system that does not collect, maintain, or disseminated information.
(2) N/A
(3) No data will be collected and there is no PII.
(4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM NLM Employee
Database Internet Edition [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NLM Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Bryant Pegram
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. The application downloads this information from the
Human Resources Database (HRDB) weekly. Information entered into the EDie database is not
uploaded into the HRDB. Due to the sensitivity of the personnel data in this system, access to the
EDie database is limited to specific users within the IC. Users are assigned roles that restrict
what data they may view and what functions they can perform. Access privileges are enforced
through authentication within the database.
Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118,4308,4506,7501,7511,7521
and Executive Order 10561
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal senior administrative use only and will not be shared with
other entities. Please refer to SOR # 09-90-
0018, Personnel Records in Operating Offices, HHS/OS/ASPER
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from employees via the Human Resources Database (HRDB) system, Fellowship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and other management staff, as requested; and e)
maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments.
The type of information collected constitutes PII and includes the following: name, address,
phone number, social security number and date of birth, and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF in the system is downloaded periodically from the
HRDB. Changes to the HRDB or changes in the way information is used are relayed to
employees via official notice from the NIH Office of Human Resources (OHR). Individuals are
notified of the collection and use of the data as part of the hiring process. This is a mandatory
requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF data is maintained in a secure database.
Routine access is restricted to authorized employees and contractors only according to the
principle of least privilege by the use of user name and password access controls. Additional
technical and administrative controls are also employed, including badge access, intrusion
detections systems, firewalls, virtual private networks, encryption, etc.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Open Source
Independent Review and Interpretation System (OSIRIS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Open Source Independent Review and
Interpretation System (OSIRIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Stephen Sherry / Dennis Benson
10. Provide an overview of the system: The Open Source Independent Review and
Interpretation System (OSIRIS) is a software tool for checking and validating DNA profile data
for accuracy and quality. It is a data validation tool for use by local forensic laboratories to
measure the conformance of raw data to quality control standards. NLM receives a limited
number of DNA samples for the purpose of developing and improving the statistical methods
used to validate the results; however, they are de-identified samples from state laboratories.
NLM does not maintain any public or production database of the de-identified samples nor does
NLM have any way of associating the DNA forensic data with a person or with any other
identifying information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The OSIRIS software tool is
a data validation tool developed by NCBI/NLM for use by local forensic laboratories to
determine how their data samples conform to quality control standards. The tool is distributed
to local forensic laboratories for their own internal use. The tool itself does not collect, maintain,
or disseminate data. In the process of developing the OSIRIS program, NCBI/NLM received a
limited number of DNA samples to test the statistical methods used to validate the results. These
samples were obtained solely for the purpose of developing the software algorithms and were de-
identified samples, containing no individually identifiable information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH NLM Toxicology Data
Network [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0703-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NLM Toxicology Data Network
(TOXNET)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dar-Ning Kung
10. Provide an overview of the system: TOXNET (Toxicology Data Network) is the National
Library of Medicine’s extensive collection of online bibliographic information. It is a cluster of
databases covering toxicology, hazardous chemicals, and environmental health and related areas.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Dar-Ning Kung
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Actions, Training and
Reports Data (ATRD)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: not listed
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Actions Training and Reports Database
(ATRD)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kimberly Hill
10. Provide an overview of the system: The ATRD is a PeopleSoft relational database
consisting of multiple tables containing information about HR transactions and reports for
National Institutes of Health (NIH) employees to be used for training and reporting to mitigate
risks associated with using the production Capital HR (EHRP) database.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information in these records may be used:
(1) By the Office of Personnel Management, Merit Systems Protection Board (including its
Office of the Special Counsel), Equal Employment Opportunity Commission, and the Federal
Labor Relations Authority (including the General Counsel of the Authority and the Federal
Service Impasses Panel) in carrying out their functions.
(2) In the event an appeal is made outside the Department, records which are relevant may be
referred to the appropriate agency charged with rendering a decision on the appeal.
(3) In the event that this system of records indicates a violation or potential violation of law,
whether civil, criminal or regulatory in nature, and whether arising by general statute or
particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant
records in the system of records may be referred, as a routine use, to the appropriate agency,
whether federal, or foreign, charged with the responsibility of investigating or prosecuting such
violation or charged with enforcing or implementing the statute, or rule, regulation or order
issued pursuant thereto.
(4) In the event the Department deems it desirable or necessary, in determining whether
particular records are required to be disclosed under the Freedom of Information Act, disclosure
may be made to the Department of Justice for the purpose of obtaining its advice.
(5) A record from this system of records may be disclosed as a “routine use” to a federal, state or
local agency maintaining civil, criminal or other relevant enforcement records or other pertinent
records, such as current licenses, if necessary to obtain a record relevant to an agency decision
concerning the hiring or retention of an employee, the issuance of a security clearance, the
letting of a contract, or the issuance of a license, grant or other benefit. A record from this
system of records may be disclosed to a federal agency, in response to its request, in connection
with the hiring or retention of an employee, the issuance of a security clearance, the reporting of
an investigation of an employee, the letting of a contract, or the issuance of a license, grant or
other benefit by the requesting agency, to the extent that the record is relevant and necessary to
the requesting agency's decision on the matter.
(6) In the event that this system of records indicates a violation or potential violation of law,
whether civil, criminal or regulatory in nature, and whether arising by general statute or
particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant
records in the system of records may be referred, as a routine use to the appropriate agency,
whether state or local charged with the responsibility of investigating or prosecuting such
violation or charged with enforcing or implementing the statute, or rule, regulation or order
issued pursuant thereto.
(7) Where federal agencies having the power to subpoena other federal agencies' records, such as
the Internal Revenue Service or the Civil Rights Commission, issue a subpoena to the
Department for records in this system of records, the Department will make such records
available.
(8) Where a contract between a component of the Department and a labor organization
recognized under E.O. 11491 or 5 U.S.C. Chapter 71 provides that the agency will disclose
personal records relevant to the organization's mission, records in this system of records may be
disclosed to such organization.
(9) The Department contemplates that it will contract with a private firm for the purpose of
collating, analyzing, aggregating or otherwise refining records in this system. Relevant records
will be disclosed to such a contractor. The contractor shall be required to maintain Privacy Act
safeguards with respect to such records.
(10) Disclosure may be made to a congressional office from the record of an individual in
response to an inquiry from the congressio
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information provided in HR
/informati-onal/metric/workload reports, and training. PIA is mandatory to ensure replication of
the production system. ATRD collects transactional data on NIH employees (e.g., action type,
employee name, Empl ID, SSN, IC). The agency uses the data to provide workload and testing
data to HR management. The collection of minimal personal data (PII) is mandatory to mirror
the production database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) ATRD collects personal data that is used to process
personnel actions, e.g., name, Empl ID, SSN, organization, etc. It does rely on SSN, but is an
NIH instance of the HHS system; therefore, no employee consent is obtained. To date there are
no NIH communities that have access to the ATRD system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System uses an ID and passwords;
passwords are changed every 90 days. In addition, the system is protected by encryption, VPN, a
firewall, and intrusion detection system. Access is based upon roles and on a need to know
basis. Physical security is provided through security guards, ID badges, and the use of key cards.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Administrative
Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3104-00-402-129
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Administrative Database System
(ADB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carol A. Perrone
10. Provide an overview of the system: The Administrative Data Base (ADB) is a legacy
system project that is over twenty years old. The new NIH Business System (NBS) was
designed to replace the ADB by FY06. The system provides support for a broad range of NIH
business (financial and administrative) functions including the purchase, receipt, and payment of
goods and services (internal and external); the tracking and supplying of inventories; services
and supply fund activities; and property management. Development of the ADB began in 1978
to automate the processes related to the procurement of goods and services and to translate the
procurement actions into accounting transactons that are processed by the Central Accounting
System (CAS). Since then the CAS has been modified to interface with the ADB. Several other
systems have been added and modifications/enhancements continue to be made to the ADB to
reflect changing policies, requirements and the need for increased functionality. NIH heavily
relies on this system for much of its business transactions and management information. The
legislation authorizing this activity is found in the Privacy Act System of Record (SOR) Notice
#09-90-0018. It is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive
Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is shared with the IRS and the Department of the Treasury. SOR 09-90-0018.
The agency collects data pertaining to the procurement of goods and services for the NIH as well
as data pertaining to stipend payment to NIH Fellows. Some of the data collected such as the
EIN or SSN and ACH Banking information is required in order to effect payments and prepare
1099s and 1042s. Submission of this data is mandatory.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency collects data
pertaining to the procurement of goods and services for the NIH as well as data pertaining to
stipend payment to NIH Fellows. Some of the data collected is IIF such as the EIN or SSN and
ACH Banking information and is required in order to effect payments and prepare 1099s and
1042s. Submission of this data is mandatory. The data is maintained on a Vendor file in the
Administrative Database (ADB) System.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Notification or consent is not done via the Operations
and Maintenance Support group; the system is merely collecting and storing data entered by the
users. Any notification will have to be done by the Business Owners and ICs.
Changes to the ADB system software does not affect the data collected and maintained in the
ADB Vendor file. However, if changes in uses occur, notification to the individuals are done by
the Institute or Center (IC) where the original request was initiated or by the Office of Financial
Management (OFM) and follows the processes in place for those organizations.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is run under a secure server and
access is restricted through RACF as well as security within the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol Perrone
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Administrative
Information System (AIS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Administrative Information System (AIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Darlene Blocker
10. Provide an overview of the system: The mission of the Administrative and /Information
Technology Office is to support the Office of AIDS Research. The Administrative Office is
responsible for directing, coordinating, and conducting the OAR administrative management
activities in the areas of: personnel/human resources; space planning; equipments and supplies;
procurement; travel; budget; and information technology, as well as supporting the OD
competencies and the program evaluation and analysis systems. In addition to developing
administrative management policies. The Administrative Office serves as the OAR's focal point
for the OAR Intranet and the development of a wide range of administrative management reports
and documents. The Administrative/Information Technology Office is designed to completely
meet the needs of the OAR.
The Administrative Officer (AO) has developed AIS to support a broad range of administrative
and information technology processes and functions to assist staff in performing efficiently in
their daily assignments.
AIS allows users to access administrative resources by the intranet. Depending on the
designated role, a user will be able to:
Establish Performance Plans;
Prepare purchase requests;
Submit requests for building facility, OAR conference rooms, and telecommunication repairs;
Request compensatory time for travel;
Submit online supply requests;
Verify telework days per pay period;
Review policy and procedures on the intranet;
Complete online assessments based on their occupational series; and
Submit online vehicle requests;
AIS is comprised of 18 unique Modules.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The AIS database will
collect and maintain Purchase Requests, Building and Facility Requests, Telecommunication
Requests, and Vehicle Requests. The Performance Module will contain IIF such as Name,
Office Mailing Address, Office Phone Number, Grade, and Performance Rating. In addition to
the information above, the Purchase Request Module collects the Vendor's Name and Address.
The purpose of AIS system is to collect and store information to process several administrative
activites and to develop and close out Performance Plans. The OD Competencies system
provides users with a web-based tool that allows them to complete a self-assessment based on
their occupational series. This module allows employees and their supervisors to identify
strengths his/her weaknesses in each employee.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A plan is being developed to notify staff on how their
names and grades will be used to develop Performance Plans and Ratings. This information will
be not be shared outside of the OAR. AIS is an internal system available to OAR users only. In
addition, a plan is being developed to notify staff on how their names and grades will be used to
track self-assessment. This information will be shared with the OD Executive Office and NIH
Trainng Center.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: AIS is accessible through the NIH Intranet
and web browser. The application will rely on Windows Operating System to secure PII and to
authenticate users, therefore the users' passwords do not need to be stored in the SQL Server
database. The server is located in a secure facility and one needs a NIH ID to access the building
and a card key to access the server. The server is housed in Office of Information Technology
suites, which is located at 6011 Executive Blvd.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD AIDS Budget System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH OD AIDS Budget System (ABS) PIA
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Donna D. Adderly
10. Provide an overview of the system: The OAR develops the trans-NIH AIDS research
budget, which is explicitly tied to the objectives of the annual strategic Plan. Each year, the
strategic Plan is distributed to all the ICs. The ICs must submit their AIDS-related research
budget requests to OAR, presenting their proposals for all new or expanded program initiatives
for each scientific area, coded to specific Plan objective(s). OAR reviews the IC initiatives in
relation to the Plan, its priorities, and to other IC submissions to eliminate redundancy and/or to
assure cross-Institute collaboration. The NIH Director and the OAR Director together determine
the total amount to be allocated for AIDS-related research within the overall NIH budget. Within
that total, OAR then develops each IC’s allocation for AIDS-related research starting from the
Commitment Base, and based on the scientific priority of each proposed initiative. This process
continues at each step of the budget development process up to the time of the final
congressional appropriation.
To effectively present the NIH AIDS Research Budget the Office of AIDS Research Budget
Office developed a system to replace a paper-based, manually intensive process used to collect,
consolidate, analyze, and report on the National Institutes of Health AIDS Research Budget. The
former process consisted of e-mails, faxes, and spreadsheets, was inefficient and no longer
effective in responding to the demands for timely information when developing and managing
the AIDS budget. This system streamlined the overall budget collection process, and provided
more time for analysis and decision-making.
The ABS is web-based and requires the NIH user name and password for access. The Institutes
and Centers provide general budget information on projects that will be funded in the future.
The system has checks to make certain that all the budget information is consistent throughout
the submission.
This project information contained in the system is used for internal decision making purposes
only and is not shared outside of the NIH. There are no grant numbers or any NIH financial
system data contained in this system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system will contain
general budget information obtained from the ICs on potential AIDS projects to be funded for a
given fiscal year. The system will be used to collect, consolidate and analyze NIH AIDS budget
information from the ICs. The Office of AIDS Research (OAR) is legally mandated to develop
an annual comprehensive plan and budget for all NIH AIDS research. The ICs within NIH
provide requests for funding for future projects via the system to the central AIDS budget office.
The system does not contain any PII and use of the system is mandatory for all ICs that required
NIH HIV/AIDS funding in a given fiscal year.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Application,
Registration, Tracking, and Evaluation Database System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0158
5. OMB Information Collection Approval Number: 09-25-0299
6. Other Identifying Number(s): Contract: HHSN263200700050C; Solicitation: 263-2007-
P(GG)-0199; Requisition: 189146
7. System Name (Align with system Item name): ARTiE: Application, Registration, Tracking
and Evaluation
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Patricia Wagner, PhD
10. Provide an overview of the system: The system is designed to identify prospective students
for dissertation research (application), register investigators looking for trainees (registration),
monitor the progress toward degree of current students (tracking), and evaluate applicants for
admission consideration.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Application - NIH personnel involved in the admission process for Institutional and Individual
Partnerships will have access to the applications for review and selection of students for
interviews (Intramural Evaluators). University personnel for the partnerships will have access to
partnership specific applications for evaluation (Extramural Evaluators).
Current Students - NIH personnel will review records to monitor progress toward degree of
trainees, ensuring completion of key elements for degree requirements (select Intramural
Evaluators).
Registration of Investigators - NIH investigators wishing to be listed within a searchable
database for prospective trainees must register with the OITE. Registration information contains
no PII.
Evaluation of Applicants - Both NIH investigators (Intramural Evaluators) and University
professors (Extramural Evaluators) have access to applications for specific partnership
affiliations.
----------
Symplicity personnel will have access to data to ensure integrity and security of the data
contained on the servers. They will not participate in the admission process.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Application,
Registration, Tracking, and Evaluation Database System (ARTiE) is used by the National
Institutes of Health (NIH) Graduate Partnerships Program (GPP) and can be divided into several
interfaces:
Application - NIH personnel involved in the admission process for Institutional and Individual
Partnerships will have access to the applications for review and selection of students for
interviews (Intramural Evaluators). University personnel for the partnerships will have access to
this information (Extramural Evaluators). University personnel for the partnerships will have
access to this information (Extramural Evaluators). Application contains PII and submission is
voluntary though required for admission consideration. PII includes: name, contact information,
educational history, and letters of recommendation.
Registration of Investigators - NIH investigators wishing to be listed within a searchable
database for prospective trainees must register with the OITE (Registration information contains
no PII; voluntary participation).
Tracking - NIH personnel will review records to monitor progress toward degree of trainees,
ensuring completion of key elements for degree requirements. PII includes: name, contact
information, educational history, and progress towards degree fields.
Evaluation - NIH investigators participating in an admission committee will review submitted
applications into the institutional and individual partnership; contains PII on the applicants but
not on the admission committee members. NIH investigators participating in an admission
committee is voluntary. See above for PII contained in application/registration of prospective
students.
-------------
Symplicity personnel will have access to data to ensure integrity and security of the servers.
They will not participate in the admission process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Any major changes in the proposed usage of
information will be presented in an email message and/or hardcopy letter to the affected
population. The following sections of ARTIE contain PII: Applications, Evaluation, and
Trackign interfaces.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The data collected and stored in the ARTIE
software are hosted on servers located in Equinix, see http://www.equinix.com/home/ for
specific details on the hosting environment and security elements.
Administrative access to various elements of ARTIE are governed by position, role, and calendar
activities as determined by the GPP staff.
Technical access to the data contained in ARTIE requires a login / password combination which
are activated / terminated by NIH/GPP staff members. Session accesses are automatically
terminated after a specified period of inactivity.
Physical access to the hosting environment in Equinix requires visit letters, photo badge,
biometric screening and pre-authorized. Equinix is certified SAS Type 1 and 2 data center with
24x7x265 security staff, access controls, biometric controls, physically separated data spaces and
camera inside/outside the facility.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Patricia Wagner ([email protected] or 240-476-3619)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Commercial Rate
Agreement Distribution Services (C-RADS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Commercial Rate Agreement Distribution
Services (C-RADS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Anita Kimberling
10. Provide an overview of the system: Secured Web based distribution of Indirect Cost Rate
Agreements for commercial organizations
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: C-RADS is a secured web-
based system used to disseminate indirect cost rate information from negotiated rate agreements
between NIH and commercial companies that receive the preponderance of their Federal awards
from HHS. Access to the system is limited to HHS employees with a bona fide need of the rate
information for use in funding and administering HHS contracts and grants. The system does not
contain any PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: None
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Anita Kimberling
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Commercialization
Assistance Program (CAP) Program Management System (PMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): none available
7. System Name (Align with system Item name): NIH OD Commercialization Assistance
Program (CAP) program management system (PMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lenka Fedorkova, Ph.D.
10. Provide an overview of the system: The Small Business Innovation Research and Small
Business Technology Transfer Program (SBIR/STTR) Office, under the Office of Extramural
Programs (OEP), Office of Extramural Research (OER), NIH provides Commercialization
Assistance Program (CAP) to selected NIH PHase II SBIR awardees, all of whom are early-stage
US small businesses. CAP is a training and mentoring program and as part of the 10-month
program we have a program management system tool which stores information such as the SBIR
award, project period, contact information, company name and address, and details of technology
that are also available in the NIH Query View Report System (QVR). Additional information is
collected from the application which asks general questions about the technology stage of
development, market readiness, and business needs in order to determine appropriateness and fit
for the program. Other information stored in the protal includes notes from advisors that work
with the selected companies and documents developed as part of the program deliverables.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) the system collects
standard applicant information including name and the web url so that we know which SBIR
technology is receiving the assistance in the CAP program, meaning all this PII can be located in
the NIH QVR system. Nothing in this management system is disseminated to anyone; 2) The
PMS is strictly used as a tool to help keep track of and have effective communication with
selected companies and oversee their progress and deliverables.; 3) I believe by definition this is
PII.; 4) The information is not mandatory but encouraged as it is generally needed to identify the
applicant. Information about the technology details are voluntary and we discourage disclosure
of any business confidential and proprietary information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) & 2) The contractor and administrator notify
participants of any system changes that would affect safety of the PII collected about them. We
explain to participants how the system works, create log-in incredentials for them and disclose
who has access to the portal. We advise all companies to sign confidentiality non-disclosure
agreements (CDAs) and also tell them that all contractors and special advisors also have to sign
CDAs. 3) no information collected within the portal is shared or disseminated to outside parties.
That information is strictly for NIH SBIR program use.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: We have password protected access in place
that is set up for the administrator, the contracted staff that run the database (Larta Institute of
606 Olive Street, Suite 650, Los Angeles, CA), the selected companies which can only access
their own files, and special advisors that mentor the company who also can access technology
related information abut the company they were assigned to.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Margaret Snyder
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Computer Access to
Research on Dietary Supplements (CARDS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Computer Access to Research on Dietary
Supplements (CARDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Karen Regan
10. Provide an overview of the system: CARDS is a database of federally funded research
projects pertaining to dietary supplements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: CARDS stands for
Computer Access to Research on Dietary Supplements. It is a database of federally funded
research projects pertaining to dietary supplements. The ODS was directed by the U.S. Congress
to "compile a database of scientific research on dietary supplements and individual nutrients" as
part of the Dietary Supplement Health and Education Act (DSHEA) which was passed by
Congress in 1994. The information in CARDS is useful to the U.S. Congress, agencies of the
Federal government, and the NIH Institutes for budgetary considerations. In addition, CARDS
will provide useful information for researchers, health care providers, industry and the general
public. CARDS contains projects funded by the United States Department of Agriculture
(USDA), the Department of Defense (DOD) and the Institutes and Centers (ICs) of the National
Institutes of Health (NIH) beginning with fiscal year 1999, the first year that NIH ICs began
reporting research related to dietary supplements. Projects funded by other Federal agencies will
be added to CARDS as they become available. The data contained in CARDS is downloaded
from the Human Nutrition Research and Information Management (HNRIM) system maintained
by NIDDK. The data contained in HNRIM is downloaded from the NIH IMPAC database.
CARDS includes the following information from IMPAC about each project: sponsoring
organization, project identifier numbers, project title, principal investigator, organization name,
address, project abstract, fiscal year and start date.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Correspondence
Management and Action Tracking System (CATXpress)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 2/8/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: UPI number will be generated after CPIC is
submitted
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Correspondence Management and
Action Tracking System (CATXpress)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Zanette Childs, IT Team Leader,
NIH/OD/OAR
10. Provide an overview of the system: CATXpress is the industry-leading, correspondence
management and action tracking system. CATXpress is a 508 compliant, secured; Web based
application that provides complete, automated document and record control for the purposes of
capturing, storing, retrieving, processing, tracking correspondences such as, recommendations,
meeting requests, meeting minutes, comments and other notes. It has electronic signatures and
full security controls.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The information being
collected, maintained and/or disseminated in the system are names, personal addresses, personal
phone numbers and personal email addresses. (2) This information is being used for the
purposes of tracking correspondences in the form of hard and electronic copy. (3) The
information does contain PII. (4) Submission of this informatino is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A notice is provided at the point of entry into the
CATXpress Tracking system informing researchers their PII will be collected when their
correspondences are submitted.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative Controls: System Security
Plan, files are backed up daily and their are manuals and training guides for users.
Technical Controls: User identification and passwords plus a fire wall. Authorized users will
login into the CATXpress using windows networking with multi-level security and access
controls.
Physical Controls: The server is in a secured location by OIT.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Delegations of
Authority Database (DOA)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Delegations of Authority Database
(DOA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Daniel Hernandez, NIH
Delegations Officer, (301) 435-3343
10. Provide an overview of the system: The DOA Database provides authorized members of
NIH with the ability to enter delegations of authority for their respective IC; edit data concerning
IC-specific delegations they enter, and run reports, by IC, on authorities delegated to NIH
officials. In addition, they can delegate redelegable authorities within NIH delegations, to
another member of the NIH community authorized to receive the particular authority. A
delegation of authority is the formal assignment or commitment of legal power, usually to a
subordinate official, to make certain decisions and take certain actions that have legal
significance. The OD/OM/Office of Management Assessment has the responsibility to
coordinate and maintain NIH Delegations of Authority from the NIH Director to senior NIH
officials. No PII is contained within the DOA Database system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The DOA Database will
mirror and track NIH and IC-specific delegations of authority. The database allows authorized
IC and OD DOA Coordinators and OHR Subject Matter Experts to enter a copy of the actual
DOA for which they are responsible and and manage it. The DOAs are not disseminated further
than the IC responsible for the maintenance of its DOAs. The database is not used to redelegate
authorities and does not contain the official record of the delegations of authority. A delegation
of authority is the formal assignment or commitment of legal power, usually to a subordinate
official, to make certain decisions and take certain actions that have legal significance. The
DOA Database is accessible to NIH employees only, via the OMA Delegations website but does
not host its own website. User permissions are assigned on a need-to-know basis, as determined
by the IC Executive Officers, OD Office Heads, and the DOA Database System Administrator.
The database does not contain any PII. There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Daniel Hernandez, NIH Delegations of Authority Officer, (301) 435-
3343
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Director's Document
and Records Management System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 5/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: None Assigned
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH OD Director's Document and Records
Management System (DDRMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ann Brewer, Director,
Executive Secretariat, NIH
10. Provide an overview of the system: The system provides the processing, tracking,
archiving, search and retrieval of all correspondence and response directed to the NIH Director
or Deputy Director; documents include email, hardcopy mail, reports from any source including
HHS, congress and the public; records are managed for historical purposes and conform to
NARA policies
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Correspondence received may be forwarded to an IC subject matter expert, or Office of the
Secretary , HHS for comment, review, drafting a response, or information purposes. Such
correspondence might contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system tracks
correspondence that is received by the Office of the Director of NIH and serves as a repository of
electronic records for internal NIH use. All information provided to NIH is voluntary. The
system may contain records with the following PII attributes: name, personal mailing address,
personal phone number, personal email address, legal documents and an image of the original
correspondence. Original correspondence may have subject matter that contains other personal
information in the text of the correspondence. The information is not tracked by the system but
is retained within the image of the original correspondence.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The PII is voluntarily provided by the sender and there
are no processes in place to notify, obtain additional information or further consent after the
correspondence has been received. DDRMS does not solicit or collect information for a
database. The originator/correspondent voluntarily sends PII in the correspondence they
authored to the NIH Director or Deputy Director. DDRMS contains only an image of the
document originally submitted. DDRMS does not manipulate the information for another use.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is hosted by CIT where annual
security audits are conducted for physical, technical and administrative access. The system web
site uses Secure Socket Layer (SSL) and Security Logging is activated. The web user interface
provides 128-bit encryption and is PKI-enabled. The system keeps an audit trail of all
functional areas. The system, in conjunction with its operating environment, uses identification
and authentication measures that allow only authorized users to access the system. The system
uses multi-level role-based system access controls that are regularly updated by the business
owner and system administrator. Each user is required to log on with their user ID, domain and
password. Users have access only to information that is pertinent to their IC. The user screen
automatically requires new log in after 30 minutes of inactivity. The database containing the
document images is encrypted. Physical records are stored in locked cabinets and deleted
documents are shredded. The system provides digital signature capability that uses 2-factor
authentication. All records that contain PII are marked in red RESTRICTED.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Document Delivery
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3304-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): RELAIS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ben Hope
10. Provide an overview of the system: Relais is a document delivery system that allows
library customers to request articles that are not readily available on-line. Relais stores user
information that is available publicly in NED and tracks what has been requested.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The organization uses the
information to correctly deliver documents to individuals who request them.
The system itself does not collect IIF or disperse IIF to other system. The only IIF that is
contained in the system is received from NIH Enterprise Database (NED) through nightly
updates. Specifically, they receive:
NIH ID
Name
NIH email
Office Location
Mail Stop
Office Phone Number
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Document Generation
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 4/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NIH OD Document Generation System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tish Best
10. Provide an overview of the system: The Document Generation System, also referred to as
the "Workforms," is a web-based system used to generate contract and solicitation documents.
The DGS data base or "workform language" consists of federal, departmental and local
mandated acquisition clauses and provisions for various types of contracts and simplified
acquisitions using the Uniform Contract Format (UCF). It is used by the NIH acquisition
community.
The DGS "Workforms" have become the standard for acquisition offices and are used throughout
the NIH. The DGS is a dynamic system and plans to expand workform templates for non-UCF
documents can be accommodated in future updates.
The NCI Office of Acquisition (OA) developed the application and has maintained the DGS
since it was "rolled out" in 2007 through June, 2010 because the Office of Acquisition
Management and Policy (OAMP), Office of Acquisition and Logistics Management (OALM),
NIH has not had the necessary funding and staff resources to fully support the system. To fill the
gap, NCI OA has made the DGS available to the other NIH Offices of Acquisition. In June, 2010
OAMP, OALM, NIH assumed responsibility for the maintenance of the system "content," while
NCI OA continued to take responsibility for the technical support of the system. In September,
2011, OAMP, OALM, NIH assumed total responsibility of the DGS. The DGS is now an NIH
sponsored system. The NCI, CBIIT hosts the DGS through an internal funding mechanism
between NCI, CBIIT and NIH, OD.
The system has an application which consolidates and creates numerous (17) listings of clauses,
called “General Clause Listings” for use in our contract and solicitation documents. These
General Clause Listings are published on the NIH OAMP Website as a resource for NIH staff,
offerors and contractors. The DGS publishes these listings from the DGS system directly to the
NIH OAMP website (http://oamp.od.nih.gov ). This is the extent of the DGS involvement with
our website. While it directly publishes information onto the site, it does not host the NIH
OAMP Website.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The DGS collects/uses
contract identifiers (PIIDs) from the NBS. In addition, each document generated will contain
unique terms and conditions relative to the contract/solicitation being created, e.g. period of
performance dates, statement of work, estimated costs & prices.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF Collected
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica Lanier
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD DocuShare
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): DocuShare
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kelly Fennington
10. Provide an overview of the system: DocuShare is a web-based content management
system used by OBA designed to allow users to employ their Web browser to store, view, edit,
and share information with other users across the Internet related to some of OBA’s activities.
Anyone with access to the DocuShare site can download and upload documents, create, and
manage repositories called collections, and create calendars, bulleting boards, and other site
objects.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
None
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Contained within the
docushare system is information pertaining to human gene transfer protocols including
information pertaining to institutional review boards. Oba does not collect personal identifiable
information, although such information may occasionally be contained within information
submitted. If such information is inadvertently submitted, this data is redacted before
downloading into the docushare system. Information of this nature, pertaining to institutional
review boards, is only reviewed internally within oba and not shared with other individuals.
Information related to specific detail regarding adverse events associated with these protocols are
not disseminated to the public or shared with other investigators and do not contain personal
identifiable information. This information is collected in accordance with the NIH Guidelines
and is used for in-house analysis of individual trials as well as across trials with similar products
or methods. There is no information related to IBC members or rosters.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic
Government Ordering System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Electronic Government Ordering
System (e-GOS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tim Warrington
10. Provide an overview of the system: The e-GOS application is an integrated, Web-based
Task Order (TO) processing system that automates NITAAC’s CIO-SP2i Government Wide
Acquisition Contract (GWAC). The e-GOS application combines e-Business, Customer
Relationship Management (CRM), workflow, and document management to streamline the
process of GWAC ordering from concept to closeout, providing interfaces for Government
Customers, Commercial Contractors, and NITAAC personnel to collaborate on meeting the
procurement needs. e-GOS provides NITAAC, its customers, and commercial contractors the
capability to process TOs and manage financial data using the Internet. There is no public access
of e-GOS.
The security information used in the initialization and implementation of the e-GOS user profiles
needs to be protected to avoid compromising the overall integrity and reputation of the agency’s
website.
The privacy data items used are: First Name, Middle Initial, and Last Name as well as
organization(government or contractor) email address.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The name of an individual may be shared across agencies for the purpose of contacting that
individual with respect to a contract. This might be the CO, COTR, or other federal employee,
or a representative of a contractor company who needs to be contacted by the Federal
procurement organization.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The system only collects
Federal Contract Data in the form of organizational data and work contact information for the
organization's representative, such as CO's and COTR's. It also collects contractor data
organized by corporation and contact information for the corporation to the extent necessary to
make an award to the contractor with the winning proposal. (2) e-GOS is a tool similar to GSA
e-BUY and FedBizOpps where solicitations are posted for review, competition, and award by
contractors. (3) The PII contained in the information includes only the name of individuals, their
place of employment, and work phone, address, and email. (4) Submission of personal
information is not required and not desired.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Any major changes in eGOS do not require to obtaining
consent from users. No notification procedures are required.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to the system is based on roles. The
system will be protected with intrusion detection, intrusion prevention, vulnerability scans and
firewalls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic Research
Administration [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-01-4613-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036, 09-25-0168
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Electronic Research
Administration (eRA) (FISMA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: The electronic Research Administration (eRA)
program is a component of the Office of Research Information Systems (ORIS) in the NIH
Office of Extramural Research (OER), headquartered in Bethesda, Maryland. The eRA systems
provide information technology solutions and support for the full life cycle of grants
administration functions for the NIH as well as the Agency for Healthcare Research and Quality
(AHRQ), Centers for Disease Control and Prevention (CDC), Food and Drug Administration
(FDA), the Substance Abuse and Mental Health Services Administration (SAMHSA) and the
Veterans Health Administration (VA). eRA systems align with Grants.gov (the one-stop Web
portal for finding and applying for federal grants), allowing for full electronic processing of grant
applications from application submission through closeout of the grant award. eRA supports two
main subsystems: "eRA Internal Applications" (also known as IMPAC II (Information for
Management, Planning, Analysis, and Coordination)), used by NIH staff, and "eRA External
Applications" (Commons, iEdison), accessed by the grantee community through the Internet.
eRA helps DHHS achieve its missions of medical discovery and science management by: 1)
electronically capturing, managing, and protecting research grant-related data, 2) reducing
administrative overhead, 3) reporting research grant-related data as information to NIH and
extramural communities, and 4) enabling the synthesis of the information into knowledge that
can guide the management of the NIH research portfolio and improve the Nation’s health.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The eRA program facilitate
grants administration support to NIH Institutes and Centers and to DHHS agencies that fund
extramural research. eRA acts as the infrastructure for conducting interactive electronic
transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards
to biomedical investigators worldwide.
The SORNs listed in response to question #4 cover the eRA systems as a whole. Refer to the
PIAs for the individual eRA systems for details on the information collected by the systems,
what the information is used for, whether the information contains PII, and whether submission
of personal information is voluntary or mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic TRP
Information Management System (eTIMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Electronic Technical Refreshment
Proposal Information Management System (eTIMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Tim Warrington , Sanjay
Panniken
10. Provide an overview of the system: The eTIMS vendor portal will help vendors upload
their proposals in the proposed format and view the status of their proposals. It will provide
automated data quality checks and provide the result instantaneously to the vendors if any data
validation error occurs so that the vendor can perform the corrective action and upload. This
portal will enable the vendor to view the current status of their proposal and perform actions
based on their proposal status. The external users for this portal will be the vendors on Electronic
Commodities Store III (ECS III) contract who will have limited privileges as Vendor roles.
Another web module eTIMS II Support Team Portal which uses the same database will help the
support team at National Institute of Health Information Technology Acquisition and
Assessment Center (NITAAC) to review the received proposal and approve/disapprove the
individual Contract Line Item Numbers (CLINS) under the proposal. Only NITAAC internal
users will have access to this application and will perform the role of Support team reviewer,
Quality Control (QC), Contracting Officer (CO) and admin roles.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system will have the
proposal data which will be submitted by the prime contractors under the ECS III contract. The
prime contractors are the approved vendors like DELL, HP etc under the ECS III contract. It will
store the list of prime contractors and the users belonging to those prime contractors who will be
able to use this system after registration. No personal information is stored except for the name
of the user. This system does not store federal contact data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) We do not expect to store any PII information other
than the name of the user but in case if that happens in future then proper notifications (emails,
published on vendor portal) with reasons to why the data needs to be captured and how it will be
used will be transmitted to all the vendor users and get thier consent over it.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: In terms of administrative controls we have
security plan in place and the system administrators, Managers and operators are trained and
made aware about their responsibilities in securing the privacy of the PII data. User Manual is
available which provides role based details on the tasks which can be accomplished using the
system. Apart from this methods are in place to ensure least privilege and only provide the
required access to individual users.
In terms of technical controls the system requires a username and password to access. The
system is secured within the NIH firewall. Furthermore, Intrusion detection system is in place
which is monitored regularly to proactively identify any intrusion to the system and thus provide
a safe environment.
In terms of physical control only the authorised personals can acces the physical location by
using the key cards to enter the location which is monitored using the closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Employee Database
Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): n/A
7. System Name (Align with system Item name): NIH OD Employee Database Internet
Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pat Porter or Deepak Mathur
10. Provide an overview of the system: EDie is an intranet based application primarily used to
manage and track personnel information. Authority for maintenance of the system: 5 U.S.C.
1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is intended for internal administrative use only and will not be shared by other
entities. Refer to SORN 09-90-0018, SORN 9-90-0024 and 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: EDie tracks all information
pertinent to a personnel file for the purpose of personnel management activities. Information is
collected from the employees via the Human Resources Database (HRDB) system. Felloship
Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses
consist of the following a) tracka time-limited appointment to ensure renewals are done in a
timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are
maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports
requested by the NIH Director, the IC Director, and the other management staff, as requested;
and e) maintaing lists of of non-FTEs, special volunteers, contractors, and other hiring
appointments. The following PII data elements are collected, amintained or dideminated on the
system is name, date of birth, SSN, Personal Mailing Address, Personal Phone Numbers,
Personal Email Address, Employment Status, and foreign Activities. The information collected
constitues PII and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PII in the system is downloaded from the FRDB, FPS,
nVision Data Warehouse and NED. Changes to the HRDB or chnages in the way information is
used is relayed to employees cia official notices from the NIH Office of Human Resources
(OHR). INdividuals are notified of the colection and use of the data as part of the hiring process.
This is a mandatory requirement of the potential applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PIPII stored in EDie is accessed by very
limited number of administrative staff with a "need-to-know" status. EDie is password protected
and sensitive data is encrypted. The system is located in OD location in building 31, room
B1E35 for Production servers and building 6705 Rockledge, room 1179 for Test Servers, behind
the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Enterprise Ethics
system (NEES)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4678-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): OGE/GOVT-1 and OGE/GOVT-2
5. OMB Information Collection Approval Number: SF-278 approval form No. 3209-0001
(Public Financial Disclosure Statement), OGE-450 (Confidential Financial Disclosure Report),
HHS-520 (Request for Approval of Outside Activity), HHS-521 (Approval Report of Outside
Activity), NIH-2854 (Request for Approval to Accept Gifts Associated with an Award From an
Outside Organization)
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH OD Ethics NEES (NIH Enterprise
Ethics System)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Holli Beckerman-Jaffe/Genia H.
Bohrer
10. Provide an overview of the system: The NIH Enterprise Ethics System (NEES) is a secure
web-based workflow management and information technology system in support of the NIH
Ethics Program that assists NIH staff with meeting the required statutes and regulations
governing the ethical behavior of Executive Branch employees of the Federal Government.
The objective of NEES is the comprehensive automation of the NIH Ethics Program that takes
into account various business policies and processes at NIH, through the utilization of numerous
related applications and data stores. Specifically, NEES will provide the means to:
· Electronically submit all ethics-related reports and requests along with supporting
documentation
· Electronically review and approve all ethics-related reports and requests, along with supporting
documentation
· Electronically track and report on all ethics-related reports and requests, submissions, reviews,
and approvals as well as other related activities associated with the Ethics Program at NIH
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII contained in NEES is shared with users in HHS Office of General Counsel for the purpose of
reviewing forms submitted by the senior staff at NIH. This data is also available to two NEES
technical staff contractors for the purpose of connecting the NEES production database with the
development database.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects and
maintains personal financial data for designated employees, including assets, income, liabilities,
transactions, gifts, outside positions, and financial agreements. All of this information is
considered PII, alhough the system does not collect or store any identifying account numbers..
This information is reviewed by NIH Ethics Officials to ensure no actual or apparent Conflict of
Interest (COI) exists that would breech the public trust. The reporting of this information is
mandatory, required by several different statutes and regulations at various levels of government
– Federal, HHS, and NIH.
Section 5301 of Title 5 of the U.S. Code authorizes collection of this information and includes
actions to be taken when this information is not provided.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The website publishes release notes to the site to notify
users when major changes occur to the system. The website used to collect the data contains a
Security and Privacy Notice detailing the authority for collection as well as the purposes and
uses of the information.
Consent is not required as reporting of this information is required as a condition of employment
and by Federal law.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative: Access to financial data is
limited to 3 people: the filer who enters and submits the data; the Ethics Coordinator assigned to
review the data, and the Deputy Ethics Counselor who reviews the data and certifies the form.
Only these 3 people have the ability to let anyone else view the data.
Technical: Access to the system is controlled by NIH log-in which authenticates the user prior to
granting access. Access level and permissions are controlled by the system and based on user,
role, organizational unit, and status of the report. All servers have been configured to remove all
unused applications and system files and all local account access except when necessary to
manage the system and maintain integrity of data.
Physical controls: The servers reside in the CIT Computer Room where policies and procedures
are in place to restrict access to the machines. This includes guards at the front door and entrance
to the machine room as well as an IRIS scan.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Genia Hess Bohrer/Holli Beckerman-Jaffe
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Commons
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Commons
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: The eRA Commons is one of the "external"
subsystems supported by the Electronic Research Administration (eRA), and is accessed by the
grantee community through the Internet. The eRA Commons provides an interface where grant
applicants, grantees and federal staff at NIH and grantor agencies can access and share
administrative information relating to research grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information includes name,
date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender
(voluntary), mailing address, phone number, e-mail address, citizenship information, education
record, and employment status. Commons provides grants administration support to the NIH
institutes and centers, and to other Department of Health and Human Services (DHHS) agencies
that fund extramural research, and the VA. Submission of PII information is mandatory except
where stated otherwise and is used to create the database record for the grant application. Date of
birth and gender offer a Do Not Wish to Provide option.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there
is a major change to the system that effects disclosure and/or data uses since the notice is given
at the time of the original collection. Applicants are notified data is collected when they enter it
into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include certification
and accreditation, system security plan, contingency plan, system backups, policies, and
procedures. Technical controls include user ID and password to access system, as well as
firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and
locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Electronic
Council Book (ECB)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eRA-Electronic Council Book (ECB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA's Electronic Council Book (ECB) is an
administrative tool used to provide summary statements, percentiles, priority scores, key
identifying information, and supporting documents for grant applications going to council for
second level review. ECB is a subsystem of the larger Electronic Research Administration (eRA)
information system, which as a whole facilitates grants administration support to NIH institutes
and centers and to all DHHS agencies that fund extramural research; eRA acts as the
infrastructure for conducting interactive electronic transactions for the receipt, review,
monitoring, administration and closeout of NIH grant awards to biomedical investigators
worldwide.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: eRA's Electronic Council
Book (ECB) is an administrative tool used to provide summary statements, percentiles, priority
scores, key identifying information, and supporting documents for grant applications going to
council for second level review. ECB is a subsystem of the larger Electronic Research
Administration (eRA) information system. (1) ECB has the ability to conduct on line reviews of
grant applications. This is accomplished via a mechanism called “Early Concurrence." Advisory
Council members are assigned to panels created by the various NIH institutes. When members
log into the ECB, if they are members of these panels, they have the ability to perform two
actions with respect to the applications they have been assigned to review: (a) they can cast votes
on line to indicate whether they agree with funding or not funding the application(s) and (b) they
may write comments and submit them for the purpose of explaining the rationale behind the
votes they have cast. No other information is collected from Council Members. ECB data
administrators in each NIH institute have the ability to view this data and create report outputs
summarizing both votes and comments. (2) The information is collected for the purpose of
conducting expedited council reviews (“early concurrence”) which enables NIH institutes to
fund qualifying applications in advance of the regular council review cycle. This expedited
review process serves the purposes of distributing workload for grants specialists, reducing
workload at actual council meetings and shortening the funding cycle so that research dollars
reach applicants more quickly. (3) No PII is collected, processed, or disseminated. ECB only
displays grant summary statements, not full grant applications. Only the Principal Investigator’s
name is displayed. (4) There is no submission of PII required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Pete Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Information for
Management, Planning, Analysis, and Coordination (IMPAC II)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Information for Management,
Planning, Analysis, and Coordination (IMPAC II)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: IMPAC II (Information for Management, Planning,
Analysis, and Coordination) is one of the two main subsystems supported by the Electronic
Research Administration (eRA), which as a whole facilitates grants administration support to
NIH Institutes and Centers and to DHHS agencies that fund extramural research. eRA acts as the
infrastructure for conducting interactive electronic transactions for the receipt, review,
monitoring, administration and closeout of NIH grant awards to biomedical investigators
worldwide. IMPAC II includes modules and applications for specific business functions as well
as cross-cutting modules and query tools and is the main internal subsystem of the eRA program.
IMPAC II is used only by authorized NIH staff and authorized users at eRA’s Federal agency
partners. IMPAC II provides a suite of electronic tools (modules and applications) to support the
four primary phases of grants administration: intake, review, award, and post award
management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information includes name,
date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender
(voluntary), mailing address, phone number, e-mail address, citizenship information, education
record, and employment status. IMPAC II is used internally at NIH for the processing of grants
and awards. Submission of PII information is mandatory except where stated otherwise and is
used to create the database record for the grant application. Date of birth and gender offer a Do
Not Wish to Provide option.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there
is a major change to the system that effects disclosure and/or data uses since the notice is given
at the time of the original collection. Applicants are notified data is collected when they enter it
into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include certification
and accreditation, system security plan, contingency plan, system backups, policies, and
procedures. Technical controls include user ID and password to access system, as well as
firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and
locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Internal
Applications
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA Internal Applications
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA Internal Applications is one of two main
subsystems supported by the Electronic Research Administration (eRA), which as a whole
facilitates grants administration support to NIH Institutes and Centers and to DHHS agencies that
fund extramural research. eRA acts as the infrastructure for conducting interactive electronic
transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards
to biomedical investigators worldwide. eRA Internal Applications include modules and
applications for specific business functions as well as cross-cutting modules and query tools and
is the main internal component of the eRA program. eRA Internal Applications are used only by
authorized NIH staff and authorized users at eRA`s Federal agency partners. eRA Internal
Applications provide a suite of electronic tools (modules and applications) to support the four
primary phases of grants administration: intake, review, award, and post award management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information includes name,
date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender
(voluntary), mailing address, phone number, e-mail address, citizenship information, education
record, and employment status. eRA Internal Applications are used internally at NIH for the
processing of grants and awards. Submission of PII information is mandatory except where
stated otherwise and is used to create the database record for the grant application. Date of birth
and gender offer a Do Not Wish to Provide option. Not all eRA Internal Applications have
access to the PII that is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there
is a major change to the system that effects disclosure and/or data uses since the notice is given
at the time of the original collection. Applicants are notified data is collected when they enter it
into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include certification
and accreditation, system security plan, contingency plan, system backups, policies, and
procedures. Technical controls include user ID and password to access system, as well as
firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and
locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Research,
Condition, and Disease Categorization (RCDC)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 7/26/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eRA-Research, Condition, and Disease
Categorization (RCDC)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA's RCDC is a computerized reporting process NIH
uses to sort and report NIH funding in each of 215 historically reported categories of disease,
condition, or research. RCDC is a subsystem of the larger Electronic Research Administration
(eRA) information system, which as a whole facilitates grants administration support to NIH
institutes and centers and to all DHHS agencies that fund extramural research; eRA acts as the
infrastructure for conducting interactive electronic transactions for the receipt, review,
monitoring, administration and closeout of NIH grant awards to biomedical investigators
worldwide.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: eRA's RCDC is a
computerized reporting process NIH uses to sort and report NIH funding in each of 215
historically reported categories of disease, condition, or research. RCDC is a subsystem of the
larger Electronic Research Administration (eRA) information system. (1) RCDC reports on three
types of NIH funding: research grants (extramural research), research and development (R&D)
contracts, and research conducted in NIH's own laboratories and clinics (intramural research). (2)
RCDC provides NIH and its Federal agency partners a complete list of funded research projects
by category, consistent category definitions applied to all projects each year, and a clear and
efficient process for categorizing and reporting on NIH funding. NIH reports funding to the
public for the 215 categories, but also provides funding data for categories beyond the 215 public
categories that are used for NIH internal planning and analysis. (3) No PII is collected,
processed, or disseminated. RCDC only displays grant summary statements, not full grant
applications. Only the Principal Investigator's name is displayed. (4) There is no submission of
PII required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Pete Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Genetic Modification
Clinical Research Information Systems [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/15/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4630-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 (Clinical, Basic and Population-Based Research
Study Records)
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): 009-25-01-26-02-4630-00
7. System Name (Align with system Item name): Genetic Modification Clinical Research
Information System (GeMCRIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ms. Kelly Fennington,
NIH/OBA (301)496-9839
10. Provide an overview of the system: To enhance the collection, analysis, and application of
safety information related to human gene transfer clinical trials.
NIH is a major focal point within the U.S. Department of Health and Human Services (DHHS)
for addressing the scientific, ethical, legal, and societal issues raised by advances in biotechnical
research. A critical objective in NIH's mission is to gather, evaluate, and disseminate
information regarding developments in biomedical research programs. NIH provides the
information to the general public, which includes patients and their families, physicians,
advocacy groups, researchers, biosafety experts, and industry representatives. NIH is sponsoring
several initiatives aimed at enhancing the systematic collection, analysis, and application of
safety information from gene therapy clinical trials. One of these initiatives is the Genetic
Modification Clinical Research Information System (GeMCRIS). GeMCRIS is a data system
developed by the Office of Biotechnology Activities (OBA) in collaboration with the Food and
Drug Administration (FDA) to manage information about the conduct of gene transfer clinical
trials. A key contribution of GeMCRIS is that it will permit access to information in a form that
enhances the types of review and analyses critical for optimizing patient safety, identifying
critical information gaps, and facilitating scientific collaboration and progress.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII may be entered into the system by various stakeholders, including investigators, study
coordinator, and sponsors. The system will share or disclose PII to NIH and FDA for the
purpose of Government data analysis and research-safety surveillance.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) In general, the system
has the capability to include PII relating to:
- General Notification Information (e.g. Provider/Physician Name, reporter name , Manufacturer
contact name etc)
- Subject Demographic Information (including Patient Identifier, Patient’s age/DOB, gender,
race, height, weight)
- Medical and Event Information (including Adverse Event description containing event
outcome, symptoms, reactions, diagnosis, lab results, autopsy information, vaccine information,
subject medical history, interventions, observations, and may also include attachments of
medical records).
(2) The agency will use the information to support Government data analysis and research-
safety surveillance
(3) As indicated above, data collected may include PII
(4) The submission of personal information is voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) Any major changes to the use of PII stored in the
system will be communicated to individuals established for providing notices to partipants who
are subjects of the research
(2) Individuals consent to participation in the research, so consent is obtained to use that
information before the information is entered into the system.
(3) PII (such as DOB, Medical Notes) can only be accessed and viewed by the personnel who
are associated with the clinical trials and adverse events.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: GeMCRIS servers are protected by two
firewalls: GeMCRIS private firewall and NIH firewall. Only authorized users (whose GeMCRIS
access requests have been reviewed and approved by OBA) can access GeMCRIS and their
associated adverse event reports. The System Security Plan contains a detailed description of all
the physical, technical and administrative controls that are in place.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kelly Fennington, NIH/OBA (301) 496-9838
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Grantee Financial
Conflict of Interest System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: 0925-0417
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Grantee Financial Conflict of
Interest (FCOI) Notifications Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Rosen
10. Provide an overview of the system: The internal OER FCOI Notifications database was
initially developed in 2004 to track incoming FCOI report information. These FCOI reports are
received from grantee institutions that identify a financial conflict of interest for an individual
defined as an “Investigator” under the FCOI regulation. Information from the incoming report,
including the Investigator’s name, was manually entered into the database by the Office of
Policy for Extramural Research Administration. The internal database was revised in 2007 to
include use by NIH IC extramural staff so they could monitor the receipt and review of FCOI
reports submitted to NIH. In 2009, NIH developed and implemented an electronic research
administration (eRA) Commons FCOI Module for the grantee community’s use to report
identified FCOIs to the NIH for grants and/or cooperative agreements. The information
submitted through the Commons is transmitted to IC staff through the FCOI Notifications
database. NIH made use of the FCOI Notifications database mandatory for NIH IC extramural
staff on 3/1/2008 and the eRA Commons FCOI Module was made mandatory for use by grantees
on 7/1/2009.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The PII information includes the name of the Investigator with the identified conflict that is
shared with the NIH staff to monitor the receipt and review of FCOI reports submitted to the
NIH by grant and cooperative agreement applicants and/or award recipients.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The information
collected and/or maintained in the FCOI Notifications database will include the following:
Project number
Awarding IC Name;
Grants Management Contact
Date of incoming FCOI report ;
Date of acknowledgement letter sent documenting receipt of FCOI report;
Grantee Institution Name and subrecipient name, if applicable;
Grantee Institution Official‘s name and contact information (not federal contact information);
Name of the Investigator with the conflict;
Name of the entity with which the Investigator has a FCOI;
Name of the financial interest ;
Value of the financial interest;
A description of how the financial interest relates to the NIH-funded research and the basis for
the Institution’s determination that the financial interest conflicts with such research;
A description of the key elements of the Institution’s management plan
Any attachments included by the grantee or IC;
Date when the grants management staff notifies the program staff of the incoming report;
Date of any follow-up letter sent to the grantee;
Date when the IC completes its review;
NIH review status (e.g., pending, completed or legacy);
Commons Status (e.g., WIP, Submitted);
FY or Calendar Year FCOI report was submitted.
(2) This information is used by NIH staff to monitor the receipt and review of FCOI reports
submitted to the NIH by grant and cooperative agreement applicants and/or award recipients.
(3) The database contains the name of the investigator with the identified conflict. The name of
the individual is the only PII data collected.
(4) Mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1- The information from the FCOI database pulls
information from the eRA system of records so this element is not applicable..
2- The Grantee Institution submits the FCOI report information on the behalf of the Investigator
with the noted conflict; NIH does not seek consent from individuals themselves.
3- Information within the system is available for viewing by NIH program and grants
management staff during the pre award, award, and post award stages to assess information
reported by grantee institutions. Information found in the FCOI Notifications database will
generally not be shared outside of NIH. However, this information is subject to the Freedom of
Information Act (FOIA).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative: Direct access to the
database is restricted to a few administrative users with associated permissions stored on the
server. The database is housed at the NIH Data Center and is protected with general network
firewalls as well as application-specific firewalls and Disaster Recovery protection. Technical:
This site is subject to CIT security scans and reviews of physical security, and operating
practices and procedures. Certification and Accreditation of hosting systems is done in
accordance with NIH policies and procedures. Only users with registered credentials on secured
servers have direct access to related databases. Physical: The NIH Data Center provides 24-7
physical security of its server room. Only authorized users that pass through CIT security guards
have physical access to the server.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Human Embryonic
Stem Cell Registry Application (hESCRegApp)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Human Embryonic Stem Cell Registry
Application (hESCRegApp)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Rosen
10. Provide an overview of the system: The hESC Registration Application Database is a web
based application that will allow NIH to collect, manage and approve hESC lines.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Approximately 10 reviewers will be able to access PII contributed by respondents. Reviewers
will be both NIH personnel and selected individuals working on behalf of NIH.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Individuals submitting data
on stem cell lines will be asked for for contact information for the purpose of facilitating NIH
review of those lines. Submission of all information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1) Email addresses and other contact information will
be collected from individuals that submit data, this contact information will allow NIH to contact
them should changes to how PII is used might be used occur.
2) The website that collects the data on stem cell lines will contain an easily accessible privacy
statement regarding collected PII.
3) The website that collects the data on stem cell lines will contain information that notifies
respondents that PII will only be shared with reviewers.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls are in place including
guards, keycards, and ID badges.
Administrative controls are in place that ensure least privlege for each user group as appropriate.
System administrators will have full access, but the general public will only be able to submit
and browse survey responses. All system administrators take required training each year to
ensure they understand how to secure information systems and PII data properly.
Technical controls are in place to ensure that those with access to sensitive data and systems use
industry accepted best practices to secure login credentials. A corporate firewall is in place that
only allows web traffic from outside of NIH, all other firewall ports are closed to prevent outside
intrusion.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Human Resources
Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4999-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): Human Resources Database (HRDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kimberly Hill
10. Provide an overview of the system: The data base contains information collected by the
Enterprise Human Resources and Payroll System (EHRP) for the purposes of HR reporting.
This information includes job-related data as well as PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information in these records may be used:
(1) By the Office of Personnel Management, Merit Systems Protection Board (including its
Office of the Special Counsel), Equal Employment Opportunity Commission, and the Federal
Labor Relations Authority (including the General Counsel of the Authority and the Federal
Service Impasses Panel) in carrying out their functions.
(2) In the event an appeal is made outside the Department, records which are relevant may be
referred to the appropriate agency charged with rendering a decision on the appeal.
(3) In the event that this system of records indicates a violation or potential violation of law,
whether civil, criminal or regulatory in nature, and whether arising by general statute or
particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant
records in the system of records may be referred, as a routine use, to the appropriate agency,
whether federal, or foreign, charged with the responsibility of investigating or prosecuting such
violation or charged with enforcing or implementing the statute, or rule, regulation or order
issued pursuant thereto.
(4) In the event the Department deems it desirable or necessary, in determining whether
particular records are required to be disclosed under the Freedom of Information Act, disclosure
may be made to the Department of Justice for the purpose of obtaining its advice.
(5) A record from this system of records may be disclosed as a “routine use” to a federal, state or
local agency maintaining civil, criminal or other relevant enforcement records or other pertinent
records, such as current licenses, if necessary to obtain a record relevant to an agency decision
concerning the hiring or retention of an employee, the issuance of a security clearance, the
letting of a contract, or the issuance of a license, grant or other benefit. A record from this
system of records may be disclosed to a federal agency, in response to its request, in connection
with the hiring or retention of an employee, the issuance of a security clearance, the reporting of
an investigation of an employee, the letting of a contract, or the issuance of a license, grant or
other benefit by the requesting agency, to the extent that the record is relevant and necessary to
the requesting agency's decision on the matter.
(6) In the event that this system of records indicates a violation or potential violation of law,
whether civil, criminal or regulatory in nature, and whether arising by general statute or
particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant
records in the system of records may be referred, as a routine use to the appropriate agency,
whether state or local charged with the responsibility of investigating or prosecuting such
violation or charged with enforcing or implementing the statute, or rule, regulation or order
issued pursuant thereto.
(7) Where federal agencies having the power to subpoena other federal agencies' records, such as
the Internal Revenue Service or the Civil Rights Commission, issue a subpoena to the
Department for records in this system of records, the Department will make such records
available.
(8) Where a contract between a component of the Department and a labor organization
recognized under E.O. 11491 or 5 U.S.C. Chapter 71 provides that the agency will disclose
personal records relevant to the organization's mission, records in this system of records may be
disclosed to such organization.
(9) The Department contemplates that it will contract with a private firm for the purpose of
collating, analyzing, aggregating or otherwise refining records in this system. Relevant records
will be disclosed to such a contractor. The contractor shall be required to maintain Privacy Act
safeguards with respect to such records.
(10) Disclosure may be made to a congressional office from the record of an individual in
response to an inquiry from the congressio
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information provided in HR
status/informati-onal/metric/performance reports. PIA is mandatory for metric reporting
purposes.
HRDB collects data on NIH employees (e.g., action type, employee name, Empl ID, , IC). The
agency uses the data to provide performance metrics to HR and NIH management. The
collection of minimal personal data is mandatory for reporting.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) HRDB collects minimal personal data, e.g., name,
Empl ID, organization, etc. It does rely on SSN, DOBs; therefore, no employee consent is
obtained. Emails are sent to supervisors and users and when changes in profiles/account-s occur.
Notices are in the form of electronic emails.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: System uses an ID and passwords;
passwords are changed every 60 days. Access is based upon roles and on a need to know basis.
Users are locked out after a specified time period and number of login attempts.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Information Security
and Privacy Awareness Training
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-02-3112-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): OPM GOVT-1, General Personnel Records
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Information Security and Privacy
Awareness Training
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Captain Cheryl A. Seaman and
Karen Pla
10. Provide an overview of the system: The NIH security and privacy awareness website
contains a variety of courses which pertain to annual information security awareness, privacy
awareness, securing remote computers, completing refresher requirements, etc. The security
awareness training is mandatory for all NIH employees and contractors within 30 days of
employment. All NIH personnel and other persons using IT equipment and information systems,
or who access personally identifiable, protected health and sensitive information are required to
complete the courses. The system also allows individuals to self-record role-based training. It
also allows individuals to accept (agree to adhere to) the NIH IT General Rules of Behavior, and
if relevant, the Remote Access User Certification Agreement.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information about the status of training completion may be shared with supervisors for the
purpose of reporting non-compliance with the mandatory requirement to complete the training
within the specified timeframe.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The training course requires
that NIH users log onto the course using their HHS Badge Number. Members of the public are
not required to provide any PII. Their progress is not tracked but they can receive a certificate of
completion.
The tracking system exists to allow recordation of user's training, agreement to follow the NIH
IT General Rules of Behavior, and if relevant, agreement to follow remote access requirements.
Individual record information is not disseminated. Compliance statistics are reported to HHS
and OMB in the aggregate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Aside from an individual's name and HHS Badge
Number, there is no other PII information in the system. When an NIH employee or contractor
logs in with their HHS Badge Number number, this system runs against active NIH Enterprise
Director (NED) data to derive the identity of the individual. The individual is then prompted to
verify (Yes or No) their identity so they will receive credit for the course.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: From a User's perspective: Any user can
log into the training website and view their Student Record, which provides completion
information relevant (i.e., dates modules/courses were completed). If they have any concerns
about the recordation, they can contact the NIH IT Service Desk.
From the Administrator perspective: There are different levels of access depending on the role
of the individual accessing the tracking system. These roles include administrator privileges,
Institute/Center-specific access with or without authorization capability, read-only, read-only and
authorize capability.
Tracking system users use a unique 10-character password to access the tracking system.
The need for ongoing access to this online tracking system is verified annually. When a person
leaves or they are no longer considered to need access, they are made inactive and can no longer
access the data.
The type of role assigned to users is derived based on a request by the relevant Institute/Center
Information Systems Security Officer or Privacy Coordinator and their need for access.
There is a time-out feature for inactivity (15 minutes) requiring the user to log back into the
sytem.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/12/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Integrated Library
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3304-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0217
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Innopac
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ben Hope
10. Provide an overview of the system: Innopac is the Integrated Library system that runs the
Division of Library Services catalog, their web interface to the DLS catalog, the patron file with
public NED information, the acquisitions information for book and journal purchases, and the
catalogs for 5 other Libraries.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not normally disclose IIF with other groups. However under particular
circumstances, the following reasons can cause information to be released (SOR# 09-25-0217):
Records will be routinely disclosed to the Treasury Department in order to effect payment.
Records may be disclosed to Members of Congress concerning a Federal financial assistance
program in order for members to make informed opinions on programs and/or activities
impacting on legislative decisions. Also, disclosure may be made to a Member of Congress or to
a Congressional staff member in response to an inquiry from the Congressional office made at
the written request of the individual.
Disclosure may be made to the Department of Justice for the purpose of obtaining its advice
regarding whether particular records are required to be disclosed under the Freedom of
Information Act.
A record from this system may be disclosed to a Federal, State or local agency maintaining civil,
criminal or other relevant enforcement records or other pertinent records, such as current
licenses, if necessary to obtain a record relevant to an agency decision concerning the hiring or
retention of an employee, the issuance of a security clearance, the reporting of an investigation of
an employee, the letting of a contract or the issuance of a license, grant or other benefit by the
requesting agency, to the extent that the record is relevant and necessary to its decision on the
matter.
Where Federal agencies having the power to subpoena other Federal agencies’ records, such as
the Internal Revenue Service (IRS) or the Civil Rights Commission, issue a subpoena to the NIH
for records in this system of records, the NIH will make such records available, provided
however, that in each case, the NIH determines that such disclosure is compatible with the
purpose for which the records were collected.
Where a contract between a component of HHS and a labor organization recognized under E.O.
11491 provides that the agency will disclose personal records relevant to the organization’s
mission, records in the system of records may be disclosed to such an organization.
A record may be disclosed to the Department of Justice, to a court, or other tribunal, or to
another party before such tribunal, when: (1) HHS, or any component thereof; (2) any HHS
employee in his or her official capacity; (3) any HHS employee in his or her individual capacity
where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent
the employee; or (4) the United States or any agency thereof where HHS determines that the
litigation is likely to affect HHS or any of its components, is a party to the litigation or has an
interest in the litigation, and HHS determines that the use of such records by the Department of
Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help
in the effective representation of the government party, provided however, that in each case,
HHS determines that such disclosure is compatible with the purpose for which the records were
collected.
A record about a loan applicant or potential contractor or grantee may be disclosed from the
system of records to credit reporting agencies to obtain a credit report in order to assess and
verify the person’s ability to repay debts owed to the Federal Government.
When a person applies for a loan under a loan program as to which the OMB has made a
determination under I.R.C. 6103(a)(3), a record about his or her application may be disclosed to
the Treasury Department to find out whether he or she has a delinquent tax account, or the sole
purpose of determining the person’s creditworthiness.
A record from this system may be disclosed to the following entities in order to help collect a
debt owed the United States:
a. To another Federal agency so that agency can effect a salary offset;
b. To the Treasury Department or another Federal agency in order to effect an ad
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information system
does not collect any IIF from individuals. IIF is contained within the application however, the
only IIF that is contained in the system is received from NIH Enterprise Directory (NED)
through nightly updates. Specifically, they receive:
NIH ID
Name
NIH email
Office Location
Mail Stop
Office Phone Number
All of this information is public information which can be viewed at ned.nih.gov The
information is used to identify the patron list for the Division of Library Services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Contact the official at the address specified under
notification procedure above, identify the record, and specify the information being contested,
the corrective action sought, and the reasons for requesting the correction, along with supporting
information to show how the record is inaccurate, incomplete, untimely, or irrelevant.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Integrated Time and
Attendance System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/8/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4605-00-403-132
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Integrated Time and Attendance
System (ITAS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Chung
10. Provide an overview of the system: The Integrated Time and Attendance System (ITAS) is
an automated federal timekeeping system developed by the National Institutes of Health. It was
modeled after a system developed at the National Science Foundation. ITAS provides a way for
employees, timekeepers, administrative officers, and supervisors to record, track, and report time
for work hours, leave activities and payroll purposes. Institute personnel such as Timekeepers
and Administrative Officers edit the employee profile so it includes accurate time, leave, and
tour of duty information. Once employee profiles are established, employees can use the system
to record and track their time and attendance. The payroll circle is bi-weekly. Therefore, every
two weeks, ITAS system processes are run to compute and accrue leave earned, generate
timecards for the upcoming pay period, and produce an output file from the system to be
transmitted to the Defense Finance and Accounting Services (DFAS) payroll system via the
Department of Health and Human Services(DHHS) payroll interface. Besides NIH, ITAS is also
used by the OPDIVs under DHHS, with the exception of Centers for Disease Control (CDC).
Authority for the maintenance of the system is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501,
7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
ITAS shares IIF information with DFAS Payroll System employed by DHHS for the purpose of
payroll processing. SOR #: 09-90-0018
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: ITAS contains user’s PII
information that is not collected from an individual user. The user’s PIA information such as
username and SSN is gathered by HR and is being entered by an Administrative Officer to ITAS
for setting up the employee’s profile. The submission of the users’ PII (SSN and username)
along with their time and attendance information to DFAS (Payroll System) biweekly is
mandatory for employees getting paid.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) ITAS does not collect IIF from individual user. Any
major changes in ITAS do not require to obtaining consent from users. No notification
procedures are required.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: General users access the system based on
their roles. Application administrators are restricted to modifying the configuration options that
are specific to application/web servers. Database Administrators have (R/W) access to the SQL
database. System administrators are responsible for maintaining the hardware and operating
system.
ITAS is integrated with NIH Login, SSO. Passwords expire after a set period of time. Accounts
are locked after a set period of inactivity. Minimum length of passwords is seven characters.
Passwords must be a combination of uppercase, lowercase, and special characters. Accounts are
locked after a set number of incorrect attempts.
The servers are located in the CIT Computer Center. Access to the NIH Computer Center
Building 12 complex is controlled. A security guard is stationed at the main entrance of the
complex, 24 hours a day, seven days a week. Anyone entering the building must display a valid
government ID showing a current identification photo, or register with the security guard to
acquire a temporary visitor’s badge. These badges must be worn at all times. All entrance doors
to the Building 12 complex, and the machine rooms are controlled by card-activated locks that
restrict access 24 hours a day seven days a week.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Pla
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Interagency Edision
(iEdison)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0168
5. OMB Information Collection Approval Number: 0925-0001 - Research and Research
Training Grant Applications and Related Forms
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Interagency Edison (iEdison)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: J.P. Kim
10. Provide an overview of the system: Interagency Edison (iEdison) is one of the "external"
subsystems supported by the Electronic Research Administration (eRA). iEdison allows
government grantees and contractors to report government-funded inventions, patents, and
utilization data to the funding agency that made the award, as required by the federal Bayh-Dole
Act, its implementing regulations, and any related funding agreement terms and conditions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: iEdison collects information
on government-funded inventions, patents, and utilization data that were developed under
funding awards from that agency. The information collected is provided for under 37 CFR 401,
FAR 52.227-11, FAR 52.227-12, 35 USC 200-212, and for the purpose of tracking, reporting,
and compliance activities under those laws and regulations and other pertinent policies, laws and
regulations covering these inventions and discoveries.
PII elements such as name, date of birth, Social Security Number, certificates and legal
documents, phone numbers, and e-mail address may be uploaded to the system via image files
uploaded as grant processing and invention supporting documentation. PII elements are not
requested nor in searchable form. The SORN listed in response to question #4 covers invention,
patent, and licensing documents as a whole, and is not meant to imply that iEdison in particular
collects, processes, or disseminates PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there
is a major change to the system that effects disclosure and/or data uses since the notice is given
at the time of the original collection. Applicants are notified data is collected when they enter it
into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative controls include certification
and accreditation, system security plan, contingency plan, system backups, policies, and
procedures. Technical controls include user ID and password to access system, as well as
firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and
locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD IP Track System
(IPTRACK)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): IP Track System (IPTRACK)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Charlie Jones
10. Provide an overview of the system: Database to track IP addresses of computer systems,
and locations of the computers, no IIF collected. Only machine names and room numbers are
included in the database.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
None
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Database to track IP
addresses of computer systems, and locations of the computers, no IIF collected. Only machine
names and room numbers are included in the database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: None
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica Lanier
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD IRT Portal
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD IRT Portal
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christopher Todd
10. Provide an overview of the system: The IRT Portal is a repository for IT security
vulnerabilities at NIH. The primary users are the IRT and each individual IC ISSO. The IRT
Portal will be used to track security vulnerabilities related to all systems across NIH. The IRT
Portal will be able to interface with the HHS CSIRC Database for various datacalls related
securtiy vulnerabilities and the status of each incident.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: A scalable, and extendable
NIH monitoring and reporting system called IRT Portal. Production IRT Portal modules that will
allow the NIH CISO to consolidate compliance monitoring and reporting of:
• Password Policy Waivers
• Encryption Policy Waivers
• Federal Desktop Core Configuration (FDCC) Policy Waivers
• Firewall Exceptions and Waivers
• Intrusion Detection System (IDS) Exceptions and Waivers
• Web Content Filtering Exceptions and Waivers
• Other Information Technology Policy Waivers
The IRT Portal loads data from an array of enterprise systems including nVision, NIH Enterprise
Database (NED), Active Drectory (AD), Network Security Section (NSS), AppScan and
Teneable Security Consel. The IRT Portal is being extended to enable the NIH CISO to correlate
security incident data with other incidents as well as with applicable security policy waivers and
exceptions. Additionally, in the near term there will be an incorporation of RiskVision (CSIRC)
via a NIH Connector, which support implementation of electronic reporting and exchange of
NIH security incidents with HHS. Future intergation with NIH Certification and Accreditation
Tool (NCAT) and Security and Privacy Online Reporting Tool (SPORT) data is possible for
correlation of incident, waiver data, and Interconnection Security Agreement
(ISAs)/Memorandum Of Understanding (MOUs) with NCAT and SPORT data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No PII is collected or stored on the IRT Portal.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Loan Repayment
Programs Website [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-4619-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0165
5. OMB Information Collection Approval Number: OMB No. 0925-0361
6. Other Identifying Number(s): NIH/OER/DLR – LRP System6
7. System Name (Align with system Item name): National Institutes of Health (NIH) Division
of Loan Repayment (DLR) - Loan Repayment Program (LRP) System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Steve Boehlert
10. Provide an overview of the system: The NIH Loan Repayment Programs (LRPs) are a vital
component of our nation's efforts to attract health professionals to careers in clinical, pediatric,
health disparity, or contraceptive and infertility research. In exchange for a two-year
commitment to a research career, NIH will repay up to $35,000 per year of qualified educational
debt, and covers Federal and state taxes that result from these benefits. The NIH LRP Website
and Electronic Application System provides a web-based interface for individuals to obtain
information, such as eligibility requirements and conditions for participating in the NIH loan
repayment programs. The website also provides an electronic application system. Applicants
log in to a secure website and provide all required documents, and can view the status of all
forms they have submitted, as well as the status of forms submitted on their behalf by their
supervisors, recommenders, and institutional officials. The NIH LRP system support the NIH
strategic goal to foster highly skilled and diverse workforce focused on research goals. As this
investment allows applicants to apply for loan repayment online and submit forms electronically,
therefore it supports the E-Gov initiatives. The program manages and complies with the NIH
Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of
Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Sallie Mae, AES, Department of Education, to request loan accessing information and
Institutional Officials and Non-NIH Scientists.
The LRP system interfaces with IMPAC II (Information for Management, Planning, Analysis
and Coordination). IMPAC II is the successor to NIH's original IMPAC information
management system. Its firewalls and user access controls ensure the security of confidential
grant, contract, and personal data. NIH staff and authorized users from other U.S. Government
agencies involved in health research have access to IMPAC II on a need-to-know basis.
The DLR LRP administers the application and disbursement processes for all of the LRPs, which
includes information dissemination, conducting the application receipt and referral process,
referring qualified applications to the NIH Institutes and Centers (ICs), evaluating educational
debt, reviewing basic eligibility, administering individual LRP contracts, establishing repayment
The NIH LRP Website and Electronic Application System provides a web-based interface for
individuals to obtain information, such as eligibility requirements and conditions for
participating in the NIH loan repayment programs (LRPs). The website also provides an
electronic application system. Applicants log in to a secure website and provide all required
documents, and can view the status of all forms they have submitted, as well as the status of
forms submitted on their behalf by their supervisors, recommenders, and institutional officials.
The NIH DLR LRP system support the NIH strategic goal to foster highly skilled and diverse
workforce focused on research goals. As this investment allows applicants to apply for loan
repayment online and submit forms electronically, therefore it supports the E-Gov initiatives.
The NIH System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan
Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD." NOTE: We have
submitted an update to the SORN – to be renamed NIH Division of Loan Repayment (DLR)
Records System
The LRP system interfaces with IMPAC II (Information for Management, Planning, Analysis
and Coordination). IMPAC II is the successor to NIH's original IMPAC information
management system. Its firewalls and user access controls ensure the security of confidential
grant, contract, and personal data. NIH staff and authorized users from other U.S. Government
agencies involved in health research have access to IMPAC II on a need-to-know basis.
The NIH DLR administers the application and disbursement processes for all of the LRPs, which
includes information dissemination, conducting the application receipt and referral process,
referring qualified applications to the NIH Institutes and Centers (ICs), evaluating educational
debt, reviewing basic eligibility, administering individual LRP contracts, establishing repayment
schedules with lending institutions, and obligating funds. Participating NIH ICs convene panels
consisting of non-NIH scientists to review, score, and rank applications. The ICs make funding
decisions and notify NIH DLR of the results of these decisions. Staff within the ICs coordinate
with the NIH DLR to ensure funds are available and that they are charged to the appropriate
CAN. These NIH staff also help guide applicants and participants who have questions about the
research component of their applications or about other aspects of the application process, such
as the peer review process.
The NIH DLR maintains and complies with the NIH Privacy Act System of Record # 09-25-
0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS)
Records System, HHS/NIH/OD."
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information collected in
the application forms is: name, social security number (SSN), grant number, program application
and associated forms, service pay-back obligations, employment data, professional performance
and credentialing history of licensed health professionals; personal, professional, and (voluntary)
demographic background information; financial data including loan balances, deferment,
forbearance, and repayment/delinq-uent/default status information; educational data including
academic program; employment status and salary verification (which includes certifications and
verifications of continuing participation in qualified research); credit reports; and Federal, State
and county tax related information, including copies of tax returns.
LRP awards are competitive. The information collected during the LRP application process is
used to make basic eligibility determinations and to provide the scientific reviewers the
information necessary to assess the potential of the applicant to pursue a career in research and to
measure the quality of the overall environment to prepare the applicant for a research career.
Major changes are posted in the Federal Register and public comment is requested.
User consent is implicit in the act of providing the information. Providing the information is
voluntary; however, in most circumstances failing to provide the information precludes the
applicant from qualifying for the program or precludes the participant from receiving benefits of
the program.
The information provided is not disclosed without the applicant/partic-ipant's consent to anyone
outside of NIH in a manner that identifies the applicant/partic-ipant, except as permitted by the
Privacy Act.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A copy of our Privacy Act Notification is posted on our
Web site (http://www.lrp.nih.gov/privacy/index.htm ) and is available to all individuals
providing IIF. The Privacy Act Notification lists the purposes for collecting the information, as
well as the routine uses permitted by the Privacy Act. The system also informs the user when
collecting data – during registration - “Note: We collect your Social Security Number [SSN] to
verify your identity, to determine your eligibility for loan repayment assistance and to keep track
of the federal funds you receive. We also use your SSN for loan repayment and servicing
purposes under the Loan Repayment Program. We also use this information to determine
whether you are eligible for loan repayment and the amount of that assistance. See Privacy Act
information for additional information.”
Major changes are posted in the Federal Register and public comment is requested.
User consent is implicit in the act of providing the information. Providing the information is
voluntary; however, in most circumstances failing to provide the information precludes the
applicant from qualifying for the program or precludes the participant from receiving benefits of
the program.
The information provided is not disclosed without the applicant/partic-ipant's consent to anyone
outside of HHS in a manner that identifies the applicant/partic-ipant, except as permitted by the
Privacy Act.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The DLR LRP system permits only
authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB,
GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices
security measures in place to ensure the system utilizes and ensures the effective use of security
controls and authentication tools to protect privacy to the extent feasible. Access to the LRP
system user's records is restricted to authorized users behind the NIH CIT firewall. Risk of
unauthorized access is, therefore, considered low. The DLR LRP system is maintained in strict
compliance with the NIH Privacy Act System of Record # 09-25-0165, entitled "National
Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System,
HHS/NIH/OD."
Authorized user access to information is limited to authorized personnel in the performance of
their duties. Authorized personnel include system managers and their staffs, financial, fiscal and
records management personnel, legal personnel, computer personnel, and NIH contractors and
subcontractors, all of whom are responsible for administering the NIH LRPs.
Physical safeguards: Rooms where records are stored are locked when not in use. During regular
business hours, rooms are unlocked but all controlled by on-site personnel. Security guards
perform random checks on the physical security of the storage locations after duty hours,
including weekends and holidays.
Procedural and Technical Safeguards: A password is required to access the terminal and a data
set name controls the release of data to only authorized users. All users of personal information
in connection with the performance of their jobs protect information from public view and from
unauthorized personnel entering an unsupervised office. Data on local area network computer
files is accessed by keyword known only to authorized personnel. Codes by which automated
files may be accessed are changed periodically. This procedure also includes deletion of access
codes when employees or contractors leave. New employees and contractors are briefed and the
security department is notified of all staff members and contractors authorized to be in secured
areas during working and nonworking hours. Individuals remotely accessing the secured areas
of the DLR Internet sites have separate accounts and passwords, and all data transmitted between
the server and workstations is encrypted.
NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer
Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic
IT security practices and the awareness that knowing or willful disclosure of the sensitive
information processed in the LRP system can result in criminal penalties associated with the
Privacy Act, Computer Security Act, and other federal laws that apply. This CBT can be found at
http://irtsectra-ining.nih.gov/. User access may be requested only by personnel authorized by the
Executive Officer. Users are not permitted system access until the required system training
prerequisites are completed and they demonstrate the competencies required to fulfill their work
responsibilities-. Users are certified as having fulfilled the requirements by their Executive
Officer or his or her appointed representative who requests access for the user.
It should also be noted that the DLR LRP system runs as a part of the NIH (CIT/OIT)
infrastructure, which also supports policy enforcement to validate security requirements and
privacy requirements are being satisfied. Incident handling guidelines are detailed in the Office
of the Director (OD) standard operating procedures “OD/EO/OIT Standard Operating Procedures
for Malicious Code Attacks, Intrusions, and Offensive Emails” (at
http://oit.od.ni-h.go-v/pubs/SOP_-ISSO.pdf) and the NIH Incident Handling Guidelines (at
http://irm.cit.n-ih.gov/security/-ih_guidelines.ht-ml) are consistent with
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Steve Boehlert
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD My Dietary
Supplements (MyDS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Office of Disease Prevention
Office of Dietary Supplements - My Dietary Supplements (MyDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jody Engel, M.A., R.D.
10. Provide an overview of the system: My Dietary Supplements (MyDS) was designed to
give consumers a free, convenient mobile record of the dietary supplements they are taking.
Consumers can use their mobile device to keep track of the vitamins, minerals, herbs, and other
products they take and easily share the information with their health care providers. This mobile
application may help decrease the potential for interactions between dietary supplements and
prescription medications. MyDS can also provide science-based, reliable information about
dietary supplements as well as general information about the NIH Office of Dietary
Supplements.
Features
· Create personal dietary supplement profiles for yourself and others;
· Record and store on your mobile device, the name and amount of each dietary supplement
you take;
· Add additional information about each dietary supplement in the Notes field;
· Email your dietary supplement profile to yourself, health care providers, pharmacists;
· Add up to two photos of each dietary supplement on your list;
· Protect your information with the option to create a personal password; and,
· Access reliable information about dietary supplements from the Office of Dietary
Supplements.
To set up the MyDS application on a mobile device (i.e., iPhone, iPad, etc.), the user will
download the application from the Apple iTunes/Application Store, create a username (email
address) and personal password to open the application - Download MyDS
In the near future, the user will be able to access an online WebApp version which will run just
like a mobile application, but via the Web.
The Office of Dietary Supplements has embedded the website http://www.flurry.com into the
MyDS application. It is an analytics application that counts usage data, downloads, and geo-
location (e.g., number of people using the device, browser used to download the application,
general (continent) location of the user, etc.)
If users have questions about the MyDS application, they can request MyDS support by
composing an email with the subject of their inquiry, message and email address and sending it
to: http://ods.od.nih.gov/about/mobile/mydssupport.aspx
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
System does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: System collects the
individuals email address only and does not use it for any communications. The email address
will only be used to authenticate access to the system and to support the "forgot password"
functionality. The agency will not use any of the individuals personal data. Submision of an
email address is mandatory to use the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The terms of service and the disclaimer to support the
application will be available to the individuals. The terms of service and disclaimer will state that
ODS does not use the data, nor does it have direct access to it. If any guidance changes the terms
of service and disclaimer will be updated.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The database server which stores the users
email address will only be accessible via the Web server. The data will only be available to the
end user after login using the app. The email address will be encrypted on the server, so any
unauthorized access would not allow a connection of PII to the individuals data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Enterprise
Architecture Repository (NEAR)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Enterprise Architecture Repository
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Steven Thornton
10. Provide an overview of the system: The NIH EA Repository addresses the need for access
to pertinent information in order to make better informed decisions. Specifically, the EA
Repository contains information about IT systems and their relationship to NIH Business
Processes, Data, Services and other EA Artifacts. This information, which is often tracked in
disparate systems, is consolidated in the EA Repository in a way which provides a high level
overview of how resources relate are how they are being used within the organization. With this
information, ICs can assess effectiveness of their investments, identify duplication and find
systems and services for reuse. Furthermore, the EA Repository provides a mechanism by which
to quickly identify impacts of a variety of different elements such as policy changes impacting
systems, and system retirements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1. The sysem collects
employee name, employee business phone number, and employee business email address
(federal contact data).
2. We collect this information to have a business point of contact for managers of NIH
information systems.
3. The information is not considered PII, because it is federal employee business contact
information.
4. The information is currently in an optional field but will be updated to a mandatory feed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A – No PII collected, maintained or
disseminated in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Enterprise
Architecture Website
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/7/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD NIH Enterprise Architecture
Website
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Steven Thornton
10. Provide an overview of the system: The NIH EA website is the authoritative source for
NIH’s enterprise architecture principles, standards, best practices, business process models, data
models, integration standards, and other types of enterprise level specifications and
communications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIH EA website
collects name, email address, title (optional), organization (optional), and phone number
(optional) via a Contact Us form to enable the NIH EA team to answer questions from the public
about the NIH EA program or website.
The NIH EA website also collects the NIH.gov email address for NIH employees and contractors
ONLY who wish to subscribe to receive alerts – based on their subscription preferences – when
content changes on the website. This information is then available to the NIH EA website
administrators, who can unsubscribe users manually, if necessary. These subscribers may also
unsubscribe themselves at anytime.
The NIH EA website also collects the email address for users who wish to share NIH EA content
links with other users and those users’ email addresses. This information is not stored.
The NIH EA website uses WebTrends and Google Analytics for analytics. This CIT managed
service and Google Analytics collect referring domains for users who navigate to the NIH EA
website in support of the NIH EA team’s site analytics effort.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIH Enterprise Architecture website discloses its
use of PII via the site’s Privacy Statement:
http://enterprisearchitecture.nih.gov/About/About/Privacy.htm and via its P3P machine readable
policy. The current privacy statement - which is being updated to include references to Google
Analytics and AddThis share widget states:
Of the information we learn about you from your visit to the NIH Enterprise Architecture
website, we store only the following: The domain name from which you access the Internet
The date and time you access our site, The Internet address of the website from which you direct-
linked to our site. This information is used to measure the number of visitors to the various
sections of our site and to help us make our site more useful to visitors. Unless it is specifically
stated otherwise, no additional information will be collected about you. When inquiries are
emailed to us, we store the question and the email address information so that we can respond
electronically. Unless otherwise required by statute, we do not identify publicly who sends
questions or comments to our website. We will not obtain information that will allow us to
identify you personally when you visit our site, unless you chose to provide such information to
us. Questions about NIH privacy policies should be sent to the NIH Privacy Act Officer at
The new privacy policy will include the following language:
Group "Website Measurement"
At the user's option, we will collect the following data:
URI of requested resource
Request timestamp
User's interaction with a page or resource
Search terms
Client's IP address or hostname
Data bytes in response
Response status code
Client's Browser Type
Client's Operating System
Client's Platform Type
HTTP cookies
This data will be used for the following purposes:
Anonymous user analysis. The user is allowed to opt-out of this usage.
This data will be used by ourselves and our agents. In addition, the following types of entities
will receive this information:
Unrelated third parties. The user is allowed to opt-out of this data sharing.
The data in this group has been marked as non-identifiable. This means that there is no
reasonable way for the site to identify the individual person this data was collected from.
The following explanation is provided for why this data is collected:
enterprisearchitecture.nih.gov uses Webtrends and Google Analytics measurement software to
collect the information described in the bulleted list above. Webtrends and Google Analytics
collect information automatically and continuously. No personally identifiable information is
collected. The NIH staff conducts analyses and reports on the aggregated data from Webtrends
and Google Analytics. The reports are only available to enterprisearchitecture.nih.gov managers,
members of the NIH Office of the Chief Information Officer (OCIO), and other designated staff
who require this information to perform their duties.
Group "Cookies"
At the user's option, we will collect the following data:
HTTP cookies
This data will be used for the following purposes:
Anonymous user analysis. The user is allowed to opt-out of this usage.
This data will be used by ourselves and our agents. In addition, the following types of entities
will receive this information:
Unrelated third parties. The user is allowed to opt-out of this data sharing.
The data in this group has been marked as non-identifiable. This means that there is no
reasonable way for the site to identify the individual person this data was collected from.
The following explanation is provided for why this data is collected:
The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web
Measurement and Customization Technologies allows Federal agencies to use session and
persistent cookies. When you visit any Web site, its server may generate a piece of text known as
a "cookie"
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Because the only PII that is stored are the
nih.gov email address of employees and contractors who subscribe to be notified of changes,
there are no security controls required to protect it. This feature is not available to public users.
A much larger set of the same information can be found publically on ned.nih.gov.
Nevertheless, the information is protected, such that only site managers can access it using NIH
Login, and by being assigned to the site manager security group. The information sits within the
NIH firewall. Only the system owner can grant permission for someone to be added to this
security group. Upon her request, the SharePoint administrators grant this permission in the
system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Jeff Erickson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Integrated
Training System II (NIHITS II)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02--4610-00-403-224
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH Integrated Training System II
(NIHITS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kimberly Hill
10. Provide an overview of the system: The NIH Integrated Training System II (NIHITS II) is
a Web-based training nomination system used at the National Institutes of Health (NIH). NIHITS
II allows for the creation, approval and tracking of employee training nominations.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
NIH Business System (NBS) for purposes of funds obligation for training nominations. SOR#
09-25-0216
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The NIHITS system will
collect IIF through the Name (First, Last, Middle Initial) of employees within NIH, as well as
contractors and other assignments as deemed appropriate by IC authorities at NIH. NIHITS will
also collect SSNs for NIH employees, contractors, and other assignments as deemed appropriate.
The information collected is required to be able to procure and track training for employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The NIHITS system imports Name and SSN
information from the NIH Employee Database for purposes of updating list of employees and
keeping information up-to-date. Users are notified by email when changes are to occur in the
system. Employees don't get directly notified when collecting information from HRDB because
they should have been notified when the information was collected in HRDB.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF date is secured by using user identifiers,
passwords, firewalls, IDS, backups, ID badges and physical security (guards) in location. Users
are restricted to viewing only the data needed to fulfill their duties.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Intramural
Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4615-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH Intramural DataBase (NIDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dale Graham
10. Provide an overview of the system: The NIH Intramural DataBase (NIDB) system collects
data relating to oversight and evaluation of the NIH's Intramural Research Program. These data
include names of researchers involved in particular projects and the publications they author, as
well as which NIH organizations they are affiliated with. In addition, the names and
organizational affiliations of extramural collaborators are also collected. For NIH researchers,
the NIDB collects NIH email addresses and other data relating to their research position (e.g.,
their Intramural Professional Designation). All data collected directly relates to the NIH
intramural research process. We collect no unique personal information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Searches of Annual Reports show names of the people participating in the research. NIH contact
information is passed to PubMed Central via webservices and to NEES via a database view.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIDB collects names,
advanced degrees and NIH email addresses for NIH researchers. It also collects from NIH
researchers the names and organizational affiliations of non-NIH researchers with whom they
collaborate. No personal information (other than names) are collected. Most names for NIH staff
are now collected directly from the NIH Enterprise Directory, rather than being entered by NIH
staff. These data are used for oversight and evaluation of the NIH Intramural Research Program.
The Annual Reports (after approval by Lab/Branch Chiefs and Scientific Directors) is available
for searching by members of the public. This contains names, degrees, organizational affiliations
for those shown as collaborating on the Reports. There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable to NIDB. However, NIDB downloads
data from NED. Changes to this system and their process notifications are outside of NIDB’s
scope. What NED indicates is as follows: The following notice is displayed to users following
authentication to NED.
"Collection of this information is authorized under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and
3102 and Executive Order 9397. The primary use of this information is to establish a centrally
coordinated electronic directory to conduct administrative business processes at the National
Institutes of Health. Information from this system may be disclosed to personnel with a valid
need for access to the information in order to conduct agency business. To the extent that they
are relevant and necessary, additional disclosures of the information may be made for the
following purposes: to contractors or consultants engaged by the agency to assist in the
performance of a service; to respond to another Federal agency’s request made in connection
with the hiring, clearance or retention of an employee or letting of a contract; or to the
Department of Justice, or to a court or other adjudicative body for litigation. Failure to provide
all or part of the information requested may limit your ability to perform official duties, impact
your ability to qualify for an NIH contract or limit your access to NIH services and facilities."
There are no other processes currently in place to obtain additional consent from the individual
whose IIF is stored in NED regarding what IIF is being collected for them or how the
information will be used or shared. There are also no processes in place at this time to obtain
consent from the individuals whose IIF is in the system when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: NIDB collects names (public record), and
NIH contact information (also public record) via NED. NIDB has access solely to NED's public
view and therefore has no access to anything other than that. NIDB also collects information
about advanced degrees (when granted, where). Contact information and when and where
degrees are granted are NOT made public. This is utilized within the NIH only. Access to NIDB
data requires authorization by role for any of this information.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Security
Authorization Tool [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/25/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Security Authorization Tool (NSAT)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Brent Kopp
10. Provide an overview of the system: NIH Security Authorization Tool (NSAT) is used to
prepare Assessment and Authorization documents, track and report on system
weaknesses/POAM's, store test results related to SCAs and Annual Assessments, and to store
inventory information related to the NIH`s systems, to include Major Applications (MA),
General Support Systems (GSS) and Minor Applications. NSAT is a web-based; commercial off
the shelf software (COTS) package powered by Trusted Agent and is supplied and supported by
Trusted Integration.
The NSAT tool produces and/or stores a variety of Assessment and Authorization documents to
include the System Security Plan, the Plan of Action and Milestones, the FIPS-199
Categorization, the Security Control Assessment plan and results, the Security Assessment
Report and Risk Assessment. The NSAT system provides reports related to weaknesses and
system inventory and a repository for artifacts related to the SA&A process. In addition, NSAT
tracks the progress and deadlines related to weakness remediation and SA&A document
production.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NSAT does not collect,
maintain or disseminate IIF. It contains security control information for NIH systems per
FISMA requirements. This include SA&A dates, FIPS 199 categorizations, security control
implementation. etc., that are used to evaluate system security status. There is no submission of
personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is not collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: No IIF is collected on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD OCIO IRT Lab
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OCIO IRT Lab
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Christopher Todd
10. Provide an overview of the system: The system is a General Support System (GSS) and
does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system is a General
Support System (GSS) and does not directly collect or store information. The
applications/systems residing on the GSS collect and store information. Therefore, individual
PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD OD General Support
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Antoine Jones
10. Provide an overview of the system: Office of Information Technology LAN
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
none
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: There is no informatoin
collected, maintained, or disseminated from this system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: None
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD OOCCR OMTrends
Database
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD OOCCR OMTrends Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lisa Witzler
10. Provide an overview of the system: OMTrends is a secure, encrypted database used by the
Office of the Ombudsman, Center for Cooperative Resolution to record, track, analyze and report
conflict management and resolution of workplace issues, as well as non-identifiable
demographics of constituents who use the office, and other important, non-confidential
information. It is a customized, password-protected Microsoft Access Database hosted on a
NIH/OD server.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) We collect the quarter of
the year the case is opened (January to March; April to June; July to September; October to
December), the current position of the employee, how the employee was referred to the office,
bargaining unit status, Institute/Center, and a range (in 5 year increments) of how long they have
been at NIH, the general issues that are presented (i.e. communication, performance), the
ombudsman activity (i.e. coaching, mediation, referral), where we refer an employee if
applicable (i.e. Employee Assistance Program, Employee Relations, OEODM). We are
occasionally contacted by non-NIH employees and thus collect this information as well.
(2) We collect this information for the purposes of providing a service to further scientific
research through efficient, effective, and innovative conflict management and resolution
methods; improve the work environment, preserve workplace relationships and enhance the
quality of work.
(3) There is no PII collected.
(4) Usage of the OD/CCR services is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD OSE LifeWorks E-
mentoring
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No; included in existing mentoring project by
OBSSR
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: 0925-0475
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): LifeWorks E-mentoring
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Lisa Strauss, Raymond Liu
10. Provide an overview of the system: LifeWorks E-mentoring is an NIH e-mentoring
program that extends existing efforts by the NIH Office of Behavioral and Social Science
Research (OBSSR) to provide high school students with information about careers in biomedical
research, behavioral research, social science research, and healthcare-related fields. Development
and maintenance of the supporting database is administered by the NIH Office of Science
Education in partnership with OBSSR. High school students age 16 and older are linked via
email to e-mentors who provide them with relevant information, guidance and support. E-
mentoring takes place via the Internet.
Mentor Registration--Mentors complete the registration and Conditions of Service agreement
online. Failure to abide by the terms results in removal from the program. Mentor registration
involves multiple background checks including, the U.S. Department of Justice Dru Sjodin
National Sex Offender Public Web site (http://www.nsopr.gov/) and a personal reference check.
Student Registration--The parent/guardian and student must complete the registration form
online. Failure to abide by these terms will result in student removal from the LifeWorks E-
mentoring program.
Security--All student and mentor communications take place behind a firewall and are password
protected on a server that is managed by the NIH Center for Information Technology.
Privacy and Internet Safety--Participants are instructed that all communications between mentors
and students are restricted to online tool. No contact between students and mentors is allowed
outside of the online tool. To minimize alternative communication channels, email addresses are
automatically deleted from messages.
Training--To promote safe internet practices, mentors and students receive separate guidelines
that provide information and Web site links about internet safety and e-mentoring rules.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Personal information collected by LifeWorks E-Mentoring will be shared with NIH
administrator at the Office of Science Education, and with IT support administrators of same, to
archive in database for the direct purpose of matching protegees with mentors. This information
will not be shared with third parties unless specifically authorized by legal authorities under
existing statutes. IF data will be retained on the system for the projected life cycle (12 months) of
proposed activity (e-mentoring). These files will be deleted from the database upon direct request
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: LifeWorks E-mentoring is a
free e-mentoring program that helps high school and college students who are interested in
behavioral and social science, biomedical science, dental, and healthcare careers find a mentor.
Mentors are carefully screened science, healthcare, and education professionals who volunteer to
provide information, guidance, and support as students develop their careers. Internet-based
communication occurs between high school students and pre-screened postdoctoral fellows,
scientists and healthcare personnel who are determined to be well-suited to serve as e-mentors.
Submission of all PII is strictly voluntary; however, in order to participate in the LifeWorks E-
mentoring program, users must provide PII in response to questions. NIH Office of Science
Education administrators assigned to manage LifeWorks E-mentoring will have access to all PII
collected.
The form we use to collect student and parent/guardian information is:
https://science.education.nih.gov/LifeWorksEmentoring.nsf/Student%20Registration?OpenForm
Required student information includes: first name, last name, school grade, school name, email
address, home address, city, state, zip code, phone number, age and gender.
Required parent/guardian information includes: first name and last name.
The form we use to collect mentor information is:
https://science.education.nih.gov/LifeWorksEmentoring.nsf/Mentor%20Registration?OpenForm
Required mentor information includes: first name, last name, title, degree/grade,
employer/school, email address, work address, city, state, zip code, phone number, profession
and gender.
Required mentor reference information includes: first name, last name, job title,
employer/school, phone number and email address.
The data is kept in our Domino database system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) LifeWorks E-mentoring participants will be notified by
regular mail or electronic communication of any changes to the system that are covered by
provisions of the privacy act. Consent for collecting and releasing PII that fall outside the scope
of the original notice will be made through similar channels.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to the LifeWorks E-mentoring users
database will be restricted to the designated NIH administrators at OSE. Unauthorized access
will be restricted as indicated below.
There will be two completely different databases to this application. The first database will be
available to the general public. It is where general information about the program is available. It
is also where individuals can go to register as participants. The other database is where the
actual communication resides. It will only be available to eligible participants. This is security at
the database level.
Individuals will be required to complete an application, by which they will be given access
authority. This is the point at which matches will occur. When a match is formed, mentor and
student will be provided ID and password access to the second database. This is security by ID
and password authentication.
Although all participants will have access to a common communication database, each person
will only have access to his/her own relevant documents. Each document will have limited
access characteristics that (a) limit readability to mentor, student and NIH administration, (b)
prohibit modification after it is created, and (c) internally/invisibly track who created the
document.
In adfdition, all e-communication is firewalled and password protected on a server that is
managed by the NIH Center for Information Technology.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD PastPerfect Online
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD PastPerfect Online Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Barbara Harkins
10. Provide an overview of the system: PastPerfect online database contains museum object
collection records, photograph collection records and archival material that is in the public
domain. These records are accessed by collection name and the information retrieved is
description, date of creation, title of collection, number of images. Archival collections will have
scope and content information of the collection, dates, number of boxes and folders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The PastPerfect system
collections historical and archival information from the NIH community, speficially,
microscopes used in research, photographs of buildings, events and NIH directors (federal
employees).
(2) The purpose of this collection is to preserve the visual and physical history of science at the
NIH. These materials are used for historical research only.
(3) Information contains no PII
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) Consent is not necessary as there is no PII in the
PastPerfect database
(2) Government employees have used these government objects and photographs and donated
them to the History Office. PII is not collected from the individuals when the items are
cataloged.
(3) The information is shared by users searching the PastPerfect database
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The administrator, Barbara Harkins, creates
and manages all of the data that is placed in the database. Harkins provides the passwords to
individuals using the system (two other individuals, both employees of the Office of History),
performs the backups and the software company, PastPerfect Software, performs regular security
checks, back-ups and technical support.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Barbara Harkins
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/2/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD People Trak [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/1/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD People Track
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Darlene Blocker
10. Provide an overview of the system: The objective of People-Trak is to provide the primary
tools necessary for capturing, managing and reporting everyday Human Resources tasks.
Modules included in this package are Personnel Management, Safety Management, Training
Administration, and Position Control. Other features include time and attendance, compensation
management, and benefits administration. This will also provides an easy-to-use query based
report writer, intelligent performance appraisal tools, filtered security, unlimited users and
unlimited companies.
This automated system provides the following capabilities and functionalities:
Personnel Management:
· Tracks EEO and other demographics to provide necessary information for the creation of
EEO-1 reports and other reports detailing the diversity of the workforce.
· Tracks information for two emergency contacts including address, home phone, and work
phone. Emergency contact reports can be produced in seconds. This information will be used in
case of an emergency with the OAR COOP.
· Automatically records status history as status changes are made, an ongoing status history
is automatically recorded. This enables you to monitor and report on the status of the employee
over their career.
· Flexible termination tracking which allows you to record both the termination reason and
type. You can group terminations for reporting to isolate trends and identify problem
departments and managers.
Training and Competency Module:
· Training and Competency works in conjunction with Personnel Management to track
detailed information about mandatory training and other training courses.
· The training module allows staff to track extensive training course information by creating
a catalog of courses that include cost, certification details, number of meetings, class duration,
detailed description, pre-requisites, skills, equipment, and materials needed. Tracks Detailed
Course History which allows reporting on all courses taken including the summing of credits,
CEU's, and course costs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information that the
office will collect consist of names, birth dates, phone numbers, medical documentation, email,
education documents, military status, employment status and foreign activity information. This
information will be used for the purpose of maintaining internal records. There will be some
documentation that contains PII such as birth dates, addresses, and telephone numbers. The
information that will be maintained in this system is on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A plan has been developed to notify and obtain consent
from individual's regarding what PII will be collected. Written notice we be sent to the
individual with a form attached asking them for consent on using their PII. On this form, it will
explain how and why this information will be utilized. They will have to sign and date the form
before any changes will occur.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII information will be stored on the Office
of AIDS Research (OAR) server that is currently being housed at the Office of Information
Technology (OIT). OIT is currently responsible for the technical issues, back-ups, upgrades, and
security associated with the server.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica Lanier
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Project Performance
Monitoring System (PPMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4694-00-301-092
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH Program Performance Monitoring
System (PPMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Rosanna Ng
10. Provide an overview of the system: The NIH Program Performance Monitoring System
(PPMS) is a web-enabled centralized secure reporting system used for gathering, managing,
analyzing and disseminating program performance and budget data. The system consist of two
(2) major components, the NIH Performance Webpage (http://nihperformance.nih.gov) and an
online budget and performance reporting system known as Visual Performance Suite (VPS).
The Website component of PPMS links to VPS, historic reports, and relevant performance
reporting resources. The VPS component of PPMS provides a web-enabled centralized
performance reporting database used to collect, store, and report budget and performance data to
support NIH’s compliance with the Government Performance and Results Act (GPRA) and
related NIH-level performance reporting. The PPMS system was deployed to the development
server and went “Live” in July 2007.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The VPS component of
PPMS provides a web-enabled centralized performance reporting database used to collect, store,
and report budget and performance data to assist NIH in meeting the requirements of the
Government Performance and Results Act (GPRA) and related NIH-level performance reporting.
The system does not contain PII. There is no need to submit personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not applicable. The system does not collect, maintain,
or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Not applicable. System does not collect,
maintain, or transmit PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Roanna Ng
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Purchase Card System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Purchase Card System (PCS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Vanessa Palacios (primary),
Michelle Romero (backup)
10. Provide an overview of the system: The Purchase Card System tracks NIH employee
Purchase Card information. The PCS application will provide authorized staff members of the
Purchase Card Program Office with the ability to view, edit, track, and add NIH cardholder/card
approval official (CAO) purchase card information. Information includes names, work
addresses, work phone numbers, work email addresses, GS Level, employee title, NED ID
Number, cardholder/CAO purchase card account, and purchase card training/HHS required
purchasing training completion dates.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system does not share or disclose the NED ID Number (PII) to others or other systems (the
system does not connect to other systems). Only the Purchase Card Program Office has access
to the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system maintains card
user’s identification information that is related to their account. The information is used to
identify cardholders and manage cardholders' account.
1. The Purchase Card System (PCS) is a collection of administrative information of
Cardholders(CH)/Card Approving Officials (CAO) held within a website for ease of use for the
Purchase Card Office. Information collected includes: Purchase Card Account Information
(specifically name of CH/CAO, single/monthly purchase limit of that individual, and purchase
card account number), NED ID Number, the dates of purchase card required training as well as
when the person has to retake training, and work contact information (work address and work
phone/fax number). All information collected is work related.
2. The purpose of such information is so the office knows which accounts are active/inactive,
which has been cancelled and when. It also lets the office know which individuals are up for
annual refresher training. In essence, this system acts as an electronic file folder of individuals
that have or had government issued purchase cards.
3. The NED ID Number is PII and therefore the website contains PII.
4. The submission of the NED ID (PII) is mandatory.
5. Only federal employee information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. No major changes has occurred in the system since
it is internal use only to the NIH Purchase Card Program Office.
2. The NED ID Number is a required field in the purchase cardholder/CAO application form.
3. The NED ID Number is not shared (disclosed) outside of the NIH Purchase Card Program
Office. Consent of the NED ID Number is given via the purchase cardholder/CAO application
form.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Access to information is role based. The
PCS application is monitored with intrusion detection, intrusion prevention, vulnerable
assessments and firewalls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Zedekiah J. Worsham
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Research and Training
Opportunities System (RTO)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-4688-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014, 09-25-0158, and 09-25-0108
5. OMB Information Collection Approval Number: 0925-0299
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Research and Training
Opportunities System (RTO)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Steve Alves
10. Provide an overview of the system: The Office of Intramural Training & Education (OITE)
administers a variety of programs and initiatives to recruit and develop individuals who
participate in research training activities on the NIH's main campus in Bethesda, Maryland, as
well as other NIH facilities around the country. To facilitate its recruitment function, the OITE
maintains the NIH Research and Training Opportunities (RTO) Web site,
http://www2.training.nih.gov, which includes applications and related forms for a range of
intramural research training programs. The application system includes a back-end database that
functions as a centralized repository of information regarding program applicants. Collection of
the information in this system is authorized under sections 241, 242l, 282(b)(10), 282(b)(13),
284(b)(1)(c), and 284(b)(1)(K) of title 42 of the United States Code (USC), and Part 61, Subpart
A and Part 63 of title 42 of the Code of Federal Regulations (CFR). The primary use of this
information is to evaluate applicants' qualifications for research training at the NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
FDA investigators, staff, and administrators involved in the recruitment/selection of trainees may
be given access to the applicant databases. Access is otherwise restricted to authorized NIH
investigators, staff, and administrators.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The electronic application
system collects information, including PII, necessary to evaluate the qualifications of individuals
who seek intramural research training opportunities at the NIH. These fields include the
following: name, month and day of birth, e-mail address, mailing address, telephone numbers,
citizenship status, visa status, institutional affiliations, courses completed and grades earned,
grade point average (GPA), academic major, publications, a resume or curriculum vitae, contact
information for up to 3 references, cover letter/personal statement, scientific research interests.
Candidates also have the option of voluntarily responding to questions regarding gender,
race/national origin, and disability (RNO). RNO data are made available to authorized NIH
users in aggregate form only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Information is collected through a web-based electronic
application system. Applicants are presented with a link to the following Privacy Act
Notification Act Statement:
“Collection of this information is authorized under sections 241, 242l, 282(b)(10), 282(b)(13),
284(b)(1)(c), and 284(b)(1)(K) of title 42 of the United States Code (USC), and Part 61, Subpart
A and Part 63 of title 42 of the Code of Federal Regulations (CFR). The primary use of this
information is to evaluate your qualifications for research training at the National Institutes of
Health. Additional disclosures may be made to law enforcement agencies concerning violations
of law or regulation. Application for this program is voluntary; however, in order for us to
process your application, you must complete the required fields.” (Electronic Notice)
Applicants who choose to respond to the separate survey regarding gender, race/national origin,
age, and disability are presented with a link to the following instructions:
"This survey is used to collect and analyze data involving race, sex, age, disability, and national
origin from applicants for employment. The information you provide will be used for statistical
purposes only and will not in any way affect you individually. While completion of this form is
voluntary, your cooperation is important to help ensure accurate information regarding
employment practices. We ask you to answer each of the questions to the best of your ability.
Read each item thoroughly before selecting the appropriate response." (Electronic Notice)
There is no process in place currently to notify and obtain consent from the individuals whose
IIF is in the system when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Methods are in place to ensure least
privilege (i.e., "need to know" and accountability). Accounts to access application data are
issued by authorized representatives from the individual ICs. Access to accounts that give the
user greater access (to create "read only" accounts and to accept applicants electronically) is
controlled by OITE staff. Also, OITE’s Web contractors do not have full administrative rights
on development and production servers, and only access specific folders on these servers.
Technical Controls in place to minimize the possibility of unauthorized access, use, or
dissemination of the data in the system include User Identification, Passwords, Firewall, Virtual
Private Network (VPN), Encryption, and Intrusion Detection System (IDS). In December 2010,
OITE moved RTO behind Federated Identity Login service (NIH Login). Regarding physical
access controls that are currently on the system, the Web, e-mail, and database servers that are
maintained in secure NIH buildings at which security guards are posted. Access to the servers is
restricted to authorized CIT/OIT individuals with valid Identification Badges.
In addition, the IT contractors are required to adhere to the security guidelines contained in the
DHHS Automated Information Systems Security Program (AISSP) Handbook. Software
development is performed on servers maintained by the contractor. Staging is on a shared NIH
server residing inside the NIH firewall. Development will occur on specific servers maintained
by the NIH Office of Information Technology. All contract employees are subject to a National
Agency Check and Inquiry Investigation plus a Credit Check (NACIC).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Steve Alves
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Condition
and Disease Categorization Budget Estimating Tool (R-BET)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4620-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Disease Funding Tracking System (DFTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Sylvia Bennett
10. Provide an overview of the system: The NIH will implement the Management Planning
and Control (MPC) software from Geac to replace the existing DFTS to enhance the system’s
capabilities. The MPC implementation will provide the Office of Budget with an application to
consolidate all data related to diseases, conditions and research areas for the NIH; use .NET
technology instead of JAVA; save history more efficiently than the existing system; and provide
better reporting capabilities both ad-hoc and production. The main MPC database will be in a
Microsoft (MS) SQL Server that houses the web interface. The existing DFTS will be the main
source of historic data. Approximately 18 years of history will be loaded: 1987-2004 with
verification being the responsibility of NIH. The NIH will supply extracted and cleansed data in
a format compatible with the Geac Data Loader Utility. DFTS data is available to the public.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system contains disease
fund tracking. The information can be sorted into reports based on.
Disease By Year By IC
Disease By IC By FY
Disease Actual vs. Estimate
Disease Comparison By FY
Percentage Change By IC
Other reports/view may be created by NIH staff. DFTS contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sylvia Bennett
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Portfolio
Online Reporting Tools (RePORT)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Research Portfolio Online Reporting
Tools: Expenditures and Results (RePORTER)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Onken
10. Provide an overview of the system: NIH RePORTER is an online interface that provides
access to NIH-funded research projects and the results (publications and patents) citing this
support. Only public information available through other existing websites—NIH grant awards,
intramural projects, PubMed references, and patent ID numbers from the US Patent and
Trademark Office—is available through RePORTER. Users are able to query the database by
entering terms or making fielded selections, and the results of the query are returned in a project
listing that includes the project number, subproject identifier (if applicable), project title, contact
principal investigator, performing organization, fiscal year of funding, NIH administering and
funding Institutes and Centers (IC), and the fiscal year total costs provided by each funding IC.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information on NIH-funded research is shared with the public for transparency and so they can
benefit from the results of that research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: NIH RePORTER provides
public access to NIH-funded research projects and the publications and awarded patents that
have cited this support. These data are in the public domain and accessible to members of the
public from several sources, including the DHHS TAGGS database, Medline, PubMed Central,
the NIH Intramural Database, and the US Patent and Trademark Office database. The only PII
disseminated is the Principal Investigator name.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Notification to and consent of Principal Investigators is
provided when they apply for a grant through NIH eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: All information in the system is public
information. No PII is collected, stored or disseminated.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: James Onken
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Training
Programs Web Site [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014, 09-25-0108, 09-25-0140, 09-25-0158
5. OMB Information Collection Approval Number: 0925-0299
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Research Training Programs Web
Site (RTP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Patricia M. Sokolove, PhD
10. Provide an overview of the system: The purpose of the NIH Research Training Programs
Web Site (RTP), https://www.training.nih.gov, is to provide access to information regarding NIH
intramural training programs and OITE services for prospective and current trainees, staff in the
NIH Intramural Research Program, trainees and faculty in the extramural community, and other
site visitors.
The RTP site enables OITE to:
- Increase ease of access to the services provided by OITE for trainees in the NIH IRP
- Deliver high-quality, timely information on NIH intramural training programs to OITE's
internal and external constituencies
- Streamline internal user community functions in OITE such as registration for and evaluation
of events, lectures, and workshops
- Provide networking opportunities for current NIH trainees, program alumni, and NIH staff
The Alumni Database is designed to (1) track where the NIH-IRP trainees go once they leave the
NIH; and (2) use the alumni population to further enhance the training experience of the program
matriculates; a service already performed by many university alumni databases.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Authorized OITE staff have access to system data via a CMS on the back end. Registered
Trainees, NIH/FDA Staff, and Alumni have access to the public profile data of Alumni who
indicated their willingness to serve as Networking Contacts. Public profile data are shared to
provide networking opportunities for current trainees and other registered users.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) The type of information
collected when a user registers for an account on the RTP site varies by user type, as follows
(fields marked with an asterisk are required):
{ All users }
- User Type* [Current NIH Trainee/Fellow, NIH Staff Scientist/Staff Clinician, Other NIH
Staff, Guest, or Alumni]
{ Current NIH Trainee/Fellow account fields }
- NIH ID/Badge Number*
- Institute/Center (IC)*
- Campus
- Trainee Type*
- Current NIH Training Program*
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- E-mail* (must be a valid, working NIH or FDA e-mail address)
- Permanent E-mail*
- Preferred E-mail Address
- Password*
{ NIH Staff Scientist/Staff Clinician account fields }
- NIH ID/Badge Number*
- Institute/Center (IC)*
- Campus
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- E-mail* (must be a valid, working NIH or FDA e-mail address)
- Password*
{ Other NIH Staff account fields }
- NIH ID/Badge Number*
- Institute/Center (IC)*
- Campus
- Current NIH Position*
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- E-mail* (must be a valid, working NIH or FDA e-mail address)
- Password*
{ Guest account fields }
- Highest Education Level*
- Current Institution
- Honorary Title (Mr., Ms., Dr., etc)
- First Name*
- Middle Name
- Last Name*
- E-mail*
- Password*
{ Alumni account fields }
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- Suffix
- Street
- City
- State
- Zip
- Country
- Phone Number
- Fax Number
- Permanent E-mail*
- Password*
NIH History
- Institute/Center (IC)*
- NIH Training Program*
- When were you at the NIH for this program*
- NIH PI
- Member of ("During my time at the NIH, I was a member of (check all that apply)") [NIH
Fellows Committee, Graduate Student Council, Postbac Committee]
- Current Status* [Continuing high school, Entering a bachelor's degree program, etc.]
Education
- School [required if the individual chooses to enter an educational experience]
- City [required if the individual chooses to enter an educational experience]
- State [required if the individual chooses to enter an educational experience]
- Country
- Degree(s) [required if the individual chooses to enter an educational experience]
- Date of Degree Receipt
- Major/Option/Program (If applicable)
- Current Institution ("I am currently enrolled at this institution") [Yes/No]
Employment
- Organization [required if the individual chooses to enter an employment experience]
- Department
- City [required if the individual chooses to enter an employment experience]
- State [required if the individual chooses to enter an employment experience]
- Country
- Job Title/Function [required if the individual chooses to enter an employment experience]
- Annual Salary
- Description of Bonus/Benefits
- Additional Comments
- Employment Sector (Academic - Research University, Academic - University, primarily
teaching, etc.)
- Current Institution ("I am currently employed by this institution") [Yes/No]
- Dates of Employment [required if the individual chooses to enter an employment experience]
- Networking Contact* [Yes/No]
("Are you willing to serve as a networking contact for NIH trainees? We anticipate that they
might seek your advice on career planning, the graduate/professional school application process,
the job search process, or your particular position. Note: By clicking yes, you are authorizing
OITE to include you in the searchable database. By clicking no, you will not be included in any
search results provided to the public.")
- Career Counselor Contact* [Yes/No]
("Would you be willing to be a contact for career counselors in the Office of Intram
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1) At present, there is no process in place to notify and
obtain consent from individuals whose PII is in the system when major changes occur to the
system (e.g., disclosure and/or data uses have changed since the notice at the time of the original
collection).
(2) The following text appears at the top of the Alumni Database registration form
(https://www.training.nih.gov/alumni/register):
Thank you for taking the time to create an entry for yourself in the NIH Alumni Database. This
is a new venture for the NIH Office of Intramural Training & Education (OITE) and we have big
plans.
You may be wondering why you should take the time to complete the brief form below today
and keep your entry up to date in the future. Here are several reasons:
- First, what's in it for YOU? Networking! You will be helping to create a searchable database
of potential colleagues that you can mine to meet your own needs and those of your students and
friends. But, in addition
- The OITE invites former NIH trainees to speak at events like the Career Symposium and the
National Graduate Student Research Festival. The success of those ventures depends on our
keeping in contact with a diverse group of NIH alumni that could include you.
- Applicants to NIH training programs often want to know where program participants go next.
Where do NIH postbacs go to graduate or professional school? Where do NIH postdocs find
jobs? You can help us provide those data.
- If you wish, you can become part of a worldwide network of NIH alumni who are willing to
answer current trainees' questions about schools and jobs.
Database Rules:
- Information that you enter into the database will be made public e.g., in publications
describing NIH programs, only in the aggregate; no personally identifiable information will be
published.
- Your personally identifiable information (see below) will be included in the searchable
database only if you authorize the OITE to include it. You can change your mind at any time.
- Only Alumni Database account-holders, current NIH trainees, and NIH staff will be able to
search the Database.
- You can update your educational and/or employment history and preferences at any time.
(3) Authorized OITE staff have access to system data via a CMS on the back end. Registered
Trainees, NIH/FDA Staff, and Alumni have access to the public profile data of Alumni who
indicated their willingness to serve as Networking Contacts. Authorized users must log in in
order to access the Alumni Database. Public profile data include the following fields:
- First Name
- Middle Name
- Last Name
- Suffix
- Preferred method of contact (Phone Number or Permanent E-mail)
- Institute/Center (IC)
- NIH Training Program
- When were you at the NIH for this program
- NIH PI
- Organization
- Department
- City
- State
- Country
- Job Title/Function
- Employment Sector
- Current Institution
- Dates of Employment
- School
- City
- State
- Country
- Degree(s)
- Date of Degree Receipt
- Major/Option/Program
- Current Institution
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: An individual who creates an account must
provide a valid, working e-mail address as part of the registration process. Upon submitting his
account information, the user receives an e-mail message containing an account activation link.
A user wishing to create a Trainee or NIH/FDA Staff account must provide an e-mail address
ending in nih.gov or fda.hhs.gov. The account activation message is sent to this e-mail address
(even if the user's preferred e-mail address is his permanent e-mail address).
Once a user activates her account, she can modify her profile whenever desired by logging on to
the system. User passwords are not visible to any users, including OITE staff.
Access to the Alumni Database is restricted to individuals registered as NIH/FDA Trainees,
NIH/FDA Staff, and Alumni. Guest users are not authorized to access this part of the system.
The data collected and stored in the RTP system are hosted on servers located in Equinix; see
http://www.equinix.com/ for specific details on the hosting environment and security elements.
Physical access to the hosting environment in Equinix requires visit letters, photo badge,
biometric screening and pre-authorization. Equinix is a certified SAS Type 1 and 2 data center
with 24x7x365 security staff, access controls, biometric controls, physically separated data
spaces and cameras inside/outside the facility.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Safety Reporting
Portal
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200 (Clinical, Basic and Population-Based Research
Study Records)
5. OMB Information Collection Approval Number: 0910-0645
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Safety Reporting Portal (SRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kelly Fennington
10. Provide an overview of the system: The Safety Reporting Portal Project (SRP) was
initiated in order to develop a single portal for the electronic submission and analysis of adverse
event data in a standardized format to accommodate existing Federal requirements. The SRP
will result in a Web-based method for consumers, health professionals, investigators, sponsors,
and other parties to electronically submit adverse event reports and other safety information (e.g.,
consumer complaint and product problem reports) utilizing applicable data sets. The portal will
employ an interactive help system that will help reporters determine what specific data need to
be submitted and to whom. The system will utilize electronic data exchange standards to make
this resource available to anyone needing to report either post- or pre-market adverse event
information to FDA or NIH. This collaborative project is expected to create tools that will allow
any user to submit adverse event information that corresponds to a wide range of forms already
in use by many agencies.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII may be entered into the system by various stakeholders, including consumers, health
professionals, investigators, and sponsors. The system will share or disclose PII to NIH and
FDA for the purpose of electronically submitting adverse event reports and other safety
information (e.g., consumer complaint and product problem reports).
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The portal will employ an
interactive help system that will help reporters determine what specific data needs to be
submitted and to whom. The system will be available to anyone needing to report either post- or
pre-market adverse event information to FDA or NIH. This collaborative project is expected to
create tools that will allow any user to submit adverse event information that corresponds to a
wide range of forms already in use by many agencies, i.e., FDA Form 1005,1002, VICH GL42
and GeMCRIS.
In each case, the Government Authorization for collecting PII is the same as it is per the
corresponding form currently in use today (e.g. section 519 of the Federal Food, Drug, and
Cosmetic Act for post-market medical device reporting). The information described on the
existing and corresponding forms will be requested through the SRP. The type of PII included in
these reports and whether submission of personal information is voluntary or mandatory depends
on the type of report and whether it is an initial report or a follow-up report.
In general, the system has the capability to include PII relating to:
q General Notification Information (e.g. Provider/Physician Name, reporter name ,
Manufacturer contact name etc)
q Subject Demographic Information (including Patient Identifier, Patient/Owner Name and
address, Patient’s age/DOB, gender, race, height, weight, family information, phone number,
email etc)
q Medical and Event Information (including Adverse Event description containing event
outcome, symptoms, reactions, diagnosis, lab results, autopsy information, vaccine information,
subject medical history, interventions, observations, and may also include attachments of
medical records).
A more detailed analysis of the types of information to be contained in the system, including PII,
has been documented in the System Security Plan under “System Security Categorization”.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) A Notice of Privacy Practices (NPP) will be posted on
the Portal.
Consent from users is not required: Law mandates what PII must be collected in mandatory
reports.
In voluntary reports, the entering of PII is not mandatory.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical: Guards, identification badges, key
cards, cipher locks and closed circuit TV.
Administrative: System security plan, contingency (or backup) plan, user manuals for the system
and methods are in place to ensure least privilege.
Technical: User Identification, passwords, and encryption.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD SciLife
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No:included in the existing mentoring project by
OBSSR
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: 0925-0475
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): SciLife
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Bruce Fuchs
10. Provide an overview of the system: To engage high school students in underserved
communities through a series of practical workshops on career exploration and college planning.
One of the leading occupational choices for both males and females is health care. This is
encouraging because 9 of the 20 occupations projected to grow the fastest over the next 10 years
are in health care (Bureau of Labor Statistics, 2002, 2003; Thompson and Chao, 2003).
However, students who choose this field more often than not state that they plan to be doctors,
and few can name other kinds of medical careers (CIEWD, 2002). The National Institutes of
Health (NIH) Office of Science Education (OSE) provides the LifeWorks™ Web site as a tool
for students to use to raise their awareness about the broad range of health and medical science
career pathways and to help them make career decisions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No 09-25-0014
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1 & 2. OSE will collect
names, addressess and emails for the pupose of registration for SciLife program.
3. Yes, we collect names, addresses and emails.
4. The submission is voluntary if they want to register for the program.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) 1. The information is used for contacting the customers
only. We notify them via email for changes if any.
2. We collect PII information for our internal registration use only. We don't not give out their
information.
3. We do not give out PII information other than required by law.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative: Regular access to
information is limited to National Institutes of Health, Office of Science Education (OSE)
contractors and employees who are conducting, reviewing or contributing to the SciLife 2008
program. Other access is granted only on a case-by-case basis, consistent with the restrictions
required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information
Act), as authorized by the system manager or designated responsible official.
Physical Safeguards: Severs where documents are stored are in closed, restricted buildings, in
areas which are not accessible to unauthorized users, and in facilities which are locked when not
in use. Records collected for this project are maintained separately from those of other projects.
Sensitive records are not left exposed to unauthorized persons at any time. Sensitive data in
machine-readable form may be encrypted. Faxed permission forms are received in secure,
electronic form.
Technical Controls: Access to records is controlled by responsible employees and is granted only
to authorized individuals whose identities are properly verified. Data stored in computers is
accessed only through authentication by authorized personnel. When personal computers are
used, magnetic media (e.g. diskettes, CD-ROMs, etc.) are protected as under Physical
Safeguards. When data is stored within a personal computer (i.e., on a "hard disk"), the machine
itself is treated as though it were a record, or records, under Physical Safeguards. Contracts for
operation of this system of records require protection of the records in accordance with these
safeguards; OSE project and contracting officers monitor contractor compliance.
http://oma.od.nih.gov/ms/privacy/pa-files/0156.htm
RETENTION AND DISPOSAL:
Records are retained and disposed of under the authority of the NIH Records Control Schedule
contained in NIH Manual Chapter 1743, Appendix 1 - "Keeping and Destroying Records" (HHS
Records Management Manual, Appendix B-361), item 1100-C-2. Refer to the NIH Manual
Chapter for specific disposition instructions.
SYSTEM MANAGER(S) AND ADDRESS(ES):
See Appendix I.
Policy coordination for this system is provided by: Acting Director, Office of Reports and
Analysis, Office of Extramural Research, Office of the Director (OD), Building 1, Room 252, 1
Center Drive, Bethesda, MD 20892.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Secure Payee
Registration System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Secure Payee Registration System
(SPRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Karen Logue
10. Provide an overview of the system: The Office of Financial Management (OFM) Secure
Payee Registration System (SPRS, pronounced “spurs”) was designed to directly replace the use
of the Central Contractor Registry (CCR) in the SREA Payment and Reporting System (SREA
PRS) used by OFM and the Center for Scientific Review (CSR) to pay individuals for their
participation in the peer review process. SPRS is a web-based application which collects and
stores information required by the US Treasury and the IRS to make payments to individuals and
handle appropriate year-end reporting. SPRS was designed to be flexible enough to
accommodate multiple associated payment applications (“partner applications”), like SREA
PRS, so that eventually OFM will have a single repository of this sensitive information instead of
having various gap systems collecting and maintaining their own data separately.
SPRS allows for the secure authentication of individuals who can modify their own registration
data. Further modification of the data is limited to select OFM personnel. In this way SPRS puts
the control of the individuals’ data (and the responsibility of keeping it up to date) back in their
own hands, freeing OFM staff for other tasks. SPRS is a private system, and the data in SPRS is
only for use by OFM staff and others who have a role in making sure the registrants get paid.
Particularly sensitive data in SPRS is encrypted before it is stored to prevent compromise of the
data in the case of theft.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PII for the individuals registered in the system is shared with the US Treasury for the purposes of
paying the individuals for their services. The information is also sent to the NIH Central
Accounting System to track the payments. Finally, administrative users of the system have
access to the information for the purposes of correcting errors and troubleshooting problems
related to individual registrations and payments.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: For each registrant SPRS
collects and maintains a history of the user’s login name*, first*, middle, and last name*, Social
Security Number, mailing address*, email address*, bank account number, bank routing number,
and bank account type (* indicates mandatory). The information will be used to pay the
individuals for their services rendered or amounts otherwise due to them from NIH. Information
collected is PII. Submission of PII is mandatory in order to receive payment from the NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No process exists for notifying individuals of major
changes to the system or use of the information – no changes are planned. Should such a change
occur that would require notification, the individuals would likely be notified by email.
In the case of the SREA PRS peer application, during registration, the individuals actively supply
their SSN and banking information. A description of the use of this information is available in a
Frequently Asked Questions (FAQ) page available to registrants. Their name, mailing address,
and email address are imported from the eRA Commons/IMPAC II system; notice for use of this
information is not mentioned in the FAQ.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The externally-accessible site is protected
by NIH Login, and the only information accessible on the external site is that of the user
(registrant) logging in. There is no access to other registrants’ information from the external site
regardless of login. The sensitive information (SSN, bank account information) entered by these
users is encrypted in the database to prevent unauthorized access. The internal site is similarly
protected by NIH Login and can only be accessed from systems on the NIH campus or via VPN.
Only users authorized to access the internal site my log in, and by default these users do not have
access to SSN or banking information of the registrants. Access may be granted to view and
change this sensitive information by the system owner if it is deemed necessary for the proper
operation of the system (troubleshooting problems, for example). The web server and database
server that comprise the system are subject to the physical controls imposed by the hosting
centers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Status of Funds
Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/10/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Status of Funds, Internet Edition
(SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Pat Porter or Deepak Mathur
10. Provide an overview of the system: SOFie is a reporting ttool that allows an
Institute/Center (IC) to manipulate and report on financial transactions and general accounting
information download fron the NIH Central Accounting System (CAS). It tracks budget
allocations, open commitments, obligations, invoicing and payments. Transactions are passed
through other systems and then downloaded, or linked int the shared data system nVision Data
Warehoise, where it is then uploaded into SOFie and eported to Excel. Downloads are processed
on a daily basis, generally in the evening hours to ensure all allocation entries and adjustments
have been captured in real time. The daily downloads allow administrative and management
staff to acccurately report on the budgets established within the IC office, laboratory, section or
branch. Financial Transaction Accounting Structure (MAS). The MAS groups the CANS into
summary levels which include the appropriation source, allotment number, budget activity,
allowance name, cost cener, and CAN is tied to a project Number, categorized by the Object
Class Code (OC), and summarized and itemized by individual Document Numbers assigned for
reference purposes. Additional manipulation is possible to track expenses by month of fiscal
year, by data range, and through several stages of the acquisition process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Fiscal year operational
information and general accounting data is downloaded from the NIH Central Accounting
System (CAS) into a commercial, Off-the-shelf (COTS) software product purchased by the
Institute/Center (IC) and exported to Excel. The financial infiramtion is specific to the IC and is
organized by category (Ex. Salary, benefit, aaward, appropriation, cental services, etc). It can be
stored by organizational code, object class code, date or amount of a commitment, expenditure,
or obligation, etc. The system contains no personally identifiable information (PII) on any
individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Stem Cell Survey
Database
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/17/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Human Stem Cell Guidelines
Comments Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: David Rosen
10. Provide an overview of the system: A web based form is provided that asks the public to
comment on the "Draft NIH Human Stem Cell Guidelines" policy (URL
http://nihoerextra.nih.gov). Three data items are asked for:
Name, Affiliation and Comments. The name is the only piece of data that is PII and it is optional.
The web server will insert the comments in an MS SQL 2005 database. The comments will all be
publically available.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Respondents are notified that the data items listed in answer 10 will all be publically available.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Question 10 lists the data
that will be voluntarily collected. PII data submission is voluntary (first and last name is the only
PII collected).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Respondents are notified while they are fillling out the
comment form that the only PII data item asked for is optional. The comments provided will be
considered by the Federal Government while shaping Human Stem Cell Usage policies.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Physical controls are in place including
guards, keycards, and ID badges.
Administrative controls are in place that ensure least privlege for each user group as appropriate.
System administrators will have full access, but the general public will only be able to submit
and browse survey responses. All system administrators take required training each year to
ensure they understand how to secure information systems and PII data properly.
Technical controls are in place to ensure that those with access to sensitive data and systems use
industry accepted best practices to secure login credentials. A corporate firewall is in place that
only allows web traffic from outside of NIH, all other firewall ports are closed to prevent outside
intrusion.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Strategic Initiatives
Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): OD Strategic Initiatives Database (SID)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Scott Jackson
10. Provide an overview of the system: The new Strategic Initiatives Database (SID) provides
a robust, scalable, and relational database environment that will store the data and business rules
(procedures) required to maintain the strategic initiative budgetary information for forecasting
and extensive reporting. It also includes a graphical user interface (GUI) that will be highly
deployable by reducing the points of deployment to a single location – the Internet. The SID will
allow the OD Office of Portfolio Analysis and Strategic Initiatives (OPASI) to access their
workloads and will provide them with the tools to print standard and ad hoc reports that meet
their daily requirements for financial grant information. The SID will allow budget officers
across the enterprise to acquire data (via a secure GUI) for their own budgetary processes.
Similarly, the SID controls user access to allow specific data to be viewed only by relevant Users
by use of Active Directory (AD) and database security controls.
As a result, the OD OPASI can expedite budgetary changes by applying the changes to the SID
data, making forecasting and reporting data immediately reflect accurate, real-time modifications
to grant financial information before the effects take place in the IMPACII or DataWarehouse
databases. This step circumvents the time-costly need to wait for updates to IMPACII or
DataWarehouse data, which often take several days or weeks to reconcile if the results there are
incorrect. With the SID, the numbers are made available immediately (and later reconciled with
the IMPACII and DataWarehouse databases) or immediately rectified when problems become
apparent.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
IIF is obtained from the eRA system and shared with NIH Budget and Program staff to assist
with tracking the funding of research grants IAW SOR# 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The new SID will store
business data include name, phone number, and e-mail addresses, which are required to maintain
the strategic initiative budgetary information for forecasting and extensive reporting. It also
includes a graphical user interface (GUI) that will be highly deployable by reducing the points of
deployment to a single location – the Internet. The system contains IIF that is a required part of
the grant application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is submitted as a part of the grant application
process. Information used by the OD Strategic Initiatives Database (SID) is taken from the ERA
grant application. Notification and consent from the individual is assumed when the grant
application is submitted. All notification and consent is taken care of via the Grant application
submission process.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: IIF in the system will be secured using
administrative controls such as least privilege access, which allows for role-based security
measure to be in place. Technical controls include single sign-on using user name and password,
housing the system behind a firewall in a server room with no external access, and
implementing an intrusion detection system. Physical access controls include guards,
identification badges, and key cards. All personnel not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Technology Tracking
System (TechTracs)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/31/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4621-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0168
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): TechTracS
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Stephen Finley
10. Provide an overview of the system: NIH TechTracS is a relational database management
system that manages and monitors all aspects of the technology transfer process; i.e., CRADAs,
invention disclosures, U.S. and foreign patent prosecution, license applications and agreements,
technology, marketing, royalties’ collection, technology abstracts, statistics, and financial
management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
1) Disclosure may be made to a congressional office from the record of an individual in response
to an inquiry from the congressional office made at the request of that individual.
2) Disclosure may be made to the Department of Justice or to a court or other tribunal from this
system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or
her official capacity; or (c) any HHS employee in his or her individual capacity where the
Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the
employee; or (d) the United States or any agency thereof where HHS determines that the
litigation is likely to affect HHS or any of its components, is a party to litigation or has an
interest in such litigation, and HHS determines that the use of such records by the Department of
Justice, court or other tribunal is relevant and necessary to the litigation and would help in the
effective representation of the governmental party, provided, however, that in each case HHS
determines that such disclosure is compatible with the purpose for which the records were
collected. Disclosure may also be made to the Department of Justice to obtain legal advice
concerning issues raised by the records in this system.
3) NIH may disclose records to Department contractors and subcontractors for the purpose of
collecting, compiling, aggregating, analyzing, or refining records in the system. Contractors
maintain, and are also required to ensure that subcontractors maintain, Privacy Act safeguards
with respect to such records.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1)The OTT will collect and
store inventor name, address, NED Unique Identifier(SSN required if inventor is receiving
royalties and non-NIH employee), title and description of the invention, Employee Invention
Report (EIR) number, Case/Serial Number, prior art related to the invention, evaluation of the
commercial potential of the invention, prospective licensees intended development of the
invention, associated patent prosecution and licensing documents and royalty payment
information.
2) The OTT will collect this information to obtain patent protection for PHS inventions and
licenses for these patents to: (a) scientific personnel, both in this agency and other Government
agencies, and in non-Governmental organizations such as universities, who possess the expertise
to understand the invention and evaluate its importance as a scientific advance; (b) contract
patent counsel and their employees and foreign contract personnel retained by the Department
for patent searching and prosecution in both the United States and foreign patent offices; (c) all
other Government agencies whom PHS contacts regarding the possible use, interest in, or
ownership rights in PHS inventions; (d) prospective licensees or technology finders who may
further make the invention available to the public through sale or use; (e) the United States and
foreign patent offices involved in the filing of PHS patent applications.
3) The information collected contains PII (Social Security Numbers) for non-NIH inventors who
are to receive royalty payments.
4) The submission of the SSN by non-NIH inventors is mandatory only if they are to receive
royalties.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Any changes that are made to the information collected
would be provided via our website and on any updated EIR. We also have the capability to send
e-mails directly to individuals from TechTracS. We have not had any significant changes to this
data since TechTracS was launched and have not had to do this.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Through the use of limited field access to
the system administrator, and user id, passwords, the NIH firewall, and intrusion detection
systems. The SSN field is viewable only by the system administrator. The front doors to OTT
require a key card to access as does the server storage room. New security safeguards for the
protection of SSNs and other personally identifiable information are being made to the system in
that the NED ID Badge Number is being used as a substitute for the SSN in some cases. The
OTT will work with its ISSO to address additional security measures with the new Tech Tracs
system and look for possible solutions at the earliest opportunity.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Susan Bruff
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH OD Woman of Color
Research Network
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/28/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Women of Color Research
Network (WoCRn)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Cerise L. Elliott Ph.D
elliottce@mail.nih.gov or keren.witkin@mail.nih.gov
10. Provide an overview of the system: The NIH OD Women of Color Research Network
(WoCRn) is a web-based application to engage and build a community of scholars and women of
color in biomedical research. Members of the WoCRn are volunteers who self-identify as women
of color or who are interested in issues of women of color in biomedical research. The network
will be a key component of the NIH and OD Office of Research on Women’s Health (ORWH)
outreach efforts to provide technical and capacity-building assistance to communities of color,
constituencies of NIH staff, and other relevant community-based organizations and institutions
serving racial and ethnic minority and women’s populations
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares or discloses PII with NIH, the wider scientific community and any member of
the public, through closed membership, for the purpose of providing opportunities for women of
color to network and receive mentoring and contribute to expanding the diversity of the scientific
workforce.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) The National Institutes
of Health (NIH), through the efforts of the NIH Working Group on Women in Biomedical
Careers, is pursuing innovative actions to enhance the inclusion of Women of Color (WOC) in
biomedical research careers. WOC face challenges related to both sex/gender and race/ethnicity,
the combination of which warrants specific attention. The Women of Color Research Network
(WOCRN) is one way that NIH hopes to ensure that the unique career challenges faced by WOC
are addressed, including recruitment, retention, promotion, and mentoring. It is intended to open
doors to new collaborations, career development opportunities, and to provide new avenues for
those interested in diversity to connect and interact.
The WOCRN includes career resources, a forum for the exchange of ideas, and a registry where
participants can identify themselves, their expertise, and their interests, and can seek out a
mentor, a mentee, or both. It provides a platform and source of information for those interested
in supporting WOC in biomedical and behavioral research.
The WOCRN is intended to provide opportunities for networking and mentoring for WOC with
each other, the NIH, the wider scientific community, and any member who would like to
contribute to expanding the diversity of the scientific workforce. Periodically, members may
receive email alerts from the NIH and the Office of Research on Women’s Health noting
upcoming events, invitations to participate in review, and notice of relevant advances in science.
This network was designed with the hopes that active participation will help prepare and promote
the participation of talented women and men of all backgrounds in the scientific workforce.
2) The information in the system will be used for outreach and to aid in diversification of the
NIH workforce.
3) The information in the system includes PII.
4) Submission of PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) (1)Voluntary submission of PII onto the system will
represent the voluntary consent of the individual. A statement attesting to the same is included
on the web entry page. Following NIH best practices, when changes to the system are made an
electronic announcement will be placed prominently on the system homepage. (2) see preceding
paragraph (3) Information will be shared in an electronic format with other registered members
and staff of the NIH that also register on the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PII will be secured by user-selected
passwords with strong password complexity and expiration policies enforced. Web and database
servers are dedicated machines maintained in a secure data center with strong physical access
controls and continuous monitoring implemented.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones and/or Karen Pla
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORF Constructware
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011?
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3344-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Constructware
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jon Sweeney
10. Provide an overview of the system: Constructware is the Construction Project
Management System for ORF.
Constructware provides tools for project management in the area of capital facilities programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Collects information
regarding ongoing construction projects within NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORF EDMS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3344-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH ORF Electronic Database Management
System (EDMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Samna Ali
10. Provide an overview of the system: The EDMS is a building drawing repository that is a
central, secure, web based system that authorized users can browse / search for engineering and
architectural drawings of the NIH facilities. It allows individuals with appropriate permission
levels access to the drawings without allowing access to the entire database. It provides an easy
to use drawing repository. Users with appropriate permission levels are able to import drawings
into the repository for easy access via NIH specific search criteria. EDMS eliminates the
problem of terminology inaccuracies and inconsistencies by providing a central repository with
index information controlled through user selection lists. It provides for the browsing and
categorization of drawings based on NIH campus, building, floor, room, and discipline.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The EDMS stores
information about NIH facilities. The majority of the information is in the form of architectural
and engineering drawings; in TIF, PDF, and DWG formats. Some information is in the form of
Excel worksheets and Word documents. NIH uses this information to support facility operations
including operation and maintenance and renovations.
EDMS users must have access to the NIH Domain to view the EDMS homepage. From the
homepage, they must supply a valid username and password to gain access. Access is controlled
so users access only the facilities they need to see. Information required for a user account is the
username and password (which is stored in an encrypted format). If a user requests to be notified
when information in the EDMS changes, an email address (federal employee email ONLY) can
be stored with their user account. Please note, an email address is not mandatory information; It
is voluntary information that individuals can provide if they choose to do so – the majority of
users don’t though. The collected information does not contain any personal information in
identifiable form.
The SharePoint-based EDMS system allows users to login using credentials that are used to login
to their desktop computer. No additional information is requested from end users. Users can
choose to edit their profile, which is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORF Facilties Information
Management System (FIMS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 4/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3331-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): Facilities Information Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Caleb Hartsfield
10. Provide an overview of the system: FIMS is comprised of a cluster of applications for
storing modifying and disseminating facility information, the core component of which is
ARCHIBUS. ARCHIBUS is an integrated suite of applications that addresses all aspects of
facilities and infrastructure management. It stores, maintains and reports on NIH owned and
leased space. The tracking and reporting of the portfolio is not associated with any personal
identifiers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The information the agency
will collect is the location and square footage of all owned and leased space and the
IC/organization occupying the space. This information is used to calculate rent, provide
information to ICs/organizations on the space they occupy and to plan moves and renovations.
This information will be used to report on Federal Real Property Performance Measures to HHS.
The agency will also collect information to provide a centralized repository of available animal
facility resources, such as cages, feed, autoclaves, veterinary medical supplies in the event of a
campus emergency. The collected information does not contain any personal information in
identifiable form.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: FIMS does not retain any PII data other
than for the use of identifying FIMS users and for contact purposes. Only federal employees
have access to FIMS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORF PC Energy
Management System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 4/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3358-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): PC Energy Management System (PEMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Greg Leifer
10. Provide an overview of the system: The system provides remote, network-level control
over the PC’s and monitor’s power settings; manages communications with the Surveyor Clients;
and, collects and stores energy-consumption data. The client module resides on each PC to
collect and transmit power-state and energy-consumption data to the server, and "check in" with
the server for updates to power-setting profiles.
The collected data is transmitted across the network to the server, where it is stored in the SQL
database. (If the server is down, the client will continue to collect and store the data until the
data can be transmitted to the server.) Reports are then generated to summarize energy usage.
For the initial implementation phase, data is collected for two weeks and sent to the vendor for
analysis. In return, the vendor provides the optimal energy saving policies. These policies are
reviewed, then implemented. Once implemented, data is captured for another two weeks to
determine the baseline energy savings.
The Surveyor application is comprised of a:
• Server
• Client module
• SQL database management system
• Report generator
The following tables document the system’s environment including the software, hardware, and
system interconnections.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects data
regarding energy usage of information technology (IT) components used at ORS and ORF. The
data is analyzed and profiles are created to optimize energy usage. The energy usage
information collected from IT components is mandatory, and does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no PII in this system, only username and login
time is captured.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Animal Behavior
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Animal Behavior System
{System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Jim Weed (301) 435-7257
10. Provide an overview of the system: The Animal Behavior System (ABS) tracks animal
behavior records for monkeys and dogs. The ABS records the behavioral information and is
used for reports. For example, if a monkey demonstrates a behavior in which it is scratching its
hair off then everything pertaining to that behavior would be tracked (e.g. how often the monkey
scratches, the size of patch, etc.). The information that is tracked would be documented and used
for reports which would lead to discussions about the progress of the condition.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (i) The agency collects and
maintains animal behavior records for monkeys and dogs.
(ii) The system will automate the data collection of animal behavior. Information will be used to
generate reports on the pattern of animal behavior (monkeys and dogs) for research purposes.
(iii) The Animal Behavior System does not collect, maintain or disseminate PII information.
(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Animal Facility
Environmental Monitor [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Animal Facility Envinronmental
Monitor [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ivan Locke, System Owner,
(301) 435-2118
10. Provide an overview of the system: Animal Facility Environmental Monitor (AFEM) is a
National Institutes of Health (NIH) application/system that has been categorized as a Major
Application. The AFEM application resides on NIHnet and consists of several workstations
running Microsoft Access and SQL databases at the following locations: 1) the main NIH
campus in Bethesda; 2) Rockville; and 3) Poolesville. With the exception of the Ambulatory
Care Research Facility (ACRF) floor monitoring workstations in Building 10, AFEM
workstations pull data directly from panels on both the Johnson Controls (FACnet LAN) and
Siemens (Man-machine Interface (MMI)) modules of the Building Automation System (BAS).
The AFEM application has the following functionality:
• Individualized (customized by IC/Facility/Accreditation cycle) alarming and historical
reporting and trending of temperature, humidity, air changes, supply and exhaust airflow,
directional pressures, and lighting parameters. Point values are polled from the BAS in 15
minute intervals, lighting trends are polled from the BAS in 60 minute intervals.
• A repository for facilities related information (floor plans, building system drawings,
etc.) in support of IC Animal Facility daily operations.
AFEM reports alarms based on the BAS (Siemens or Johnson Controls) provided status of the
point. The historical reporting and trending portion of AFEM’s functionality is used to help
maintain AAALAC (Association for Assessment and Accreditation of Laboratory Animal Care)
accreditation.
Note: Per the NIH COOP, AFEM service/functions are at the highest priority in the ORF Risk
Management Model.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) AFEM collects the
following information directly from the Building Automation System (BAS): status point values
for temperature, humidity, air changes, supply and exhaust airflow, directional pressures and
lighting parameters; 2) AFEM collects the information for the purpose of monitoring the changes
in status point values over time in order to provide an alarming capability (in the event status
point value changes are not within certain parameters) and historical reporting necessary to
maintain accreditation from the Association for Assessment and Accreditation of Laboratory
Animal Care (referred to as AAALAC accreditation); 3) None of the information contains PII;
and 4) AFEM does not store personal information of any kind.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) AFEM does not collect, maintain or otherwise
dissemeniate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Application Hosting
Environment [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3358-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): ORS/ORF Application Hosting
Environment
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ben Ashtiani
10. Provide an overview of the system: The ORS/ORF Application Hosting Environment is
the underlying server and security infrastructure that provides the hosting capability for
ORS/ORF applications. AHE is mainly a Microsoft Windows- based environment running on
multiple versions of windows to support different business processes. The majority of the
equipment is located in Building 12, while the rest of the equipment is located in a server room
in Building 10. In addition to the Widows Operating System, AHE consists of the following
products: MS SQL, Oracle, EMC and SATA SAN storage devices and management tools such
the Symantec NetBackup and virtual tape library which administer the AHE environment.
Information stored by AHE is considered generic IT information and does not contain Personally
Identifiable Information (PII) as well as clinical data. Most applications hosted in this
enviroment are hosted on VMWare ESX virtual servers; a small number of applications reside on
dedicated servers. ORS major applications and supporting data are beyond the accreditation
boundary of AHE C&A effort.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: AHE does not collect,
maintain or dissiminate PII information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) n/a
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: n/a
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Background
Investigation Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/20/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3357-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-90-0020
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Background Investigation Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Theresa Minter
10. Provide an overview of the system: BITS tracks the background investigation status of
potential employees of NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares the investigation status (pending, ongoing, complete).
Investigation status information is shared with HSPD-12 Issuers and Adjudicators who are
designated in writing and personnel security staff who must interface with Applicants.
Information is shared as part of the PIV card issuing process, e.g. investigation status must be
verified prior to PIV card issue or revoking PIV card.
This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-90-
0020, published in the Federal Register, Volume 60, January 20, 1995.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Yes the information contains
IIF. Submission of the personal information is voluntary. However, the absence of required
information may impact position selection decisions. The agency collects information needed to
track the background investigation status of potential NIH employees. Additionally, the system
can be used by FTEs to pre-register visitors to the NIH Bethesda campus.
Categories of PII:
Name; Date of Birth; SSN; Photographic Identifiers; Mother's Maiden Name; Vehicle
Identifiers; Personal Mailing Address; Personal Phone Numbers; Medical Records Numbers;
Medical Notes; Financial Account Information; certificates; Legal Documents; Device
Identifiers; Web URLs; Personal E-mail Address; Education Records; Military Status;
Employment Status; Foreign Activities; Other
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) The information collected is obtained from the actual
individuals. Information is not obtained through observation.
Processes are being put into place, to notify and obtain consent from individuals whose IIF is in
the system, with the HHS HSPD-12 System of Records for the HSPD-12 systems. Name, SSN
are being collected and this information is shared only with officially designated HSPD-12
Sponsors, Adjudicators and Issuers.
Processes are being put into place, to notify and obtain consent from individuals whose IFF is in
the system, with the HHS HSPD-12 System of Records for the HSPD-12 systems when major
system changes have occured.
Name, SSAN are being collected and this information is shared only with officially designated
HSPD-12 Sponsors, Adjudicators and Issuers.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package; some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
Hard copy of IIF data is stored in locked file cabinets inside key card controlled spaces. File
cabinet key control is maintained through a key control locker with written log out records.
Access is controlled based on officially designated Role assignments which are in writing.
System data is protected by dual authentication log on while data base systems are maintained in
the NIH CIT security controlled computer facility which has special key card entry controls,
guards, and CCTV security cameras. In addition the system network includes an intrusion
detection system and firewalls to detect and limit access respectively.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Clinical Access
Manager (CAM)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/8/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3314-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0105
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): 5BA45007-0583-482E-BD25-9ABF911094BA
7. System Name (Align with system Item name): Clincal Access Manager (CAM)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Herb Jacobi or Deborah Wilson
10. Provide an overview of the system: The HealthRx Clinical Access Manager (CAM) is a
configurable enterprise level, clinical scheduling, electronic medical record, electronic medical
surveillance manager, and clinic administration tool that is suitable for any size clinic. CAM is
designed specifically for health care delivery. Its primary purpose is to provide `easy to use`
scheduling, patient tracking, charge capture, documentation, and administration for any resource
intensive service organization that has complex scheduling and interrelated resource
management requirements.
CAM improves patient flow by allowing all authorized personnel to schedule patients from their
own workstation onto a common master departmental schedule. Further, CAM enhances staff
effectiveness by reducing the time required to handle routine scheduling and rescheduling
chores.
CAM`s conflict resolution and scheduling functions reduce cancellations and no shows with
sophisticated reminder and call back system and by tracking reasons for missed appointments.
This increases revenue both by increasing patient volumes and by ensuring that all charges are
captured automatically.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Disclosure of any information would be in strict accordance with SOR # 09-25-0105 as
described under “Routine Uses of Records in the System, Including Categories of Users and the
Purposes of Such Uses” This information is further addressed in the NIH Privacy Act Systems
of Record Notice 09-25-0105, published in the Federal Register, Volume 67, No. 187, September
26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system maintains
employee identification and medical records information so that preventive measures can be
taken and work-related injuries/illnesses can be managed. Accident and injury information is
maintained in compliance with Department of Labor regulations. Submission of the information
is voluntary but required to secure treatment. The information contains IIF; submission of this
information by patients is mandatory to receive medical care and consultation, maintaining
medical accurate records and submitting accident and injury (workers compensation) claims to
the DOL.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There currently are none
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system SA&A package. In addition, some
of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the
use of user names and passwords, and role based access. For physical protection, the NIH
campus is protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Contract
Management System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Contract Management System
[System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Kenneth Roman (301) 435-
4332, [email protected]
10. Provide an overview of the system: The Contract Management System (CMS) is a
predominately historical database that captured the Office of Research Facilities/Office of
Acquistions/Architect/Engineer and Construction Contracting Branch (ORF/OA/AECCB)
contract actions through June 2007 and invoice data through approximately 2009 / 2010 for the
Construction Contracts Branch, Office of Research Facilities (ORF). It is an invaluable
reference for historical data not readily available elsewhere.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (i) The agency collects
historical information about Office of Research Facilities (ORF)/OA-ORF, AECCB contract
actions through June 2007 and invoice data through approximately 2009 / 2010.
(ii) The data is maintained track historical contract information for the Construction Contracts
Branch, ORF. Information will be used to generate reports.
(iii) The system does not collect, maintain or disseminate PII information.
(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS CPR Training
Registration System
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 4/25/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3314-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4):
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH ORS CPR Training Registration
System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Gail Newcomb
10. Provide an overview of the system: The Division of Occupational Health and Safety CPR
Training System allows registration for CPR classes and maintains records of participant
completion.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects the first
and last names of participants, their building and room number, Institute, and email address. By
Comment [AK2]: Not in the spreadsheet.
Would not approve due to Federal contact
information collected.
registering for a class the system collects the location, time and dates the person will attend a
class and maintains records of certifications (start and end dates). This represents only federal
contact data. (2) The purpose for the collection is to allow registrants to attend either the
Healthcare Provider AED/CPR Training or the Lay Responder Training. It also allows tracking
and renewal of the two year certification time granted by the training. (3) There is no PII
information collected. (4) This registration and training are mandatory for the Healthcare
Provider AED/CPR Training. The Lay Responder Training is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.:
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Cyclotron Exhaust
Radiation Monitoring System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): CF660DED-FDBB-43B6-9EAF-885B4DE51902
7. System Name (Align with system Item name): NIH ORS Cyclotron Exhaust Radiation
Monitoring System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Michael Roberson, (301) 496-
5774
10. Provide an overview of the system: The Cyclotron Exhaust Radiation Monitoring System
(CERMS) is a National Institutes of Health (NIH) Office of Research Facilities (ORF)
application/system that has been categorized as a Major Application. The CERMS is located in
Buildings 10 and 21 of the main NIH Bethesda campus and is responsible for monitoring the
emission of short-lived radioactive compounds generated by cyclotrons in the Clinical Center’s
Positron Emission Tomography (PET) Department. The monitoring is necessary to ensure that
emissions comply with and do not exceed regulatory limits.
The CERMS consists of 4 monitoring stations, which monitor 4 independent exhaust ducts
(located in Building 10) that emit short-lived radioactive compounds into the atmosphere. Three
of the monitoring stations are Thermo Eberline PET Stack Monitors and the fourth is an Apantec
PING (Particle, Iodine & Noble Gas) monitor.
Thermo Eberline and Apantec provide a graphical user interface that allows users to generate
reports collect, view and analyze trends and configure alarms.
The CERMS will have an internal interconnection with the Portal Monitor 12 (PM12)
monitoring system. The PM12 system is responsible for monitoring the radioactivity present on
people.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A. The CERMS does not store, transfer or otherwise disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) CERMS collects data
from the effluent of short-lived radioactive materials being emitted through exhaust ducts; 2)
CERMS collects the data for the purpose of monitoring the level of radiation present in the
exhaust effluent. The purpose of collecting the data is to ensure the radioactive exhaust effluent
is within regulated limits; 3) and 4) CERMS does not collect, maintain or otherwise store PII or
personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A. The CERMS does not store, transfer or otherwise
disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A. The CERMS does not store, transfer
or otherwise disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Dog Canine System
[System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Dog Canine System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dr. Jim Weed, (301) 435-7257
10. Provide an overview of the system: The Dog Canine System tracks, maintains, and
manages animal behavior information about dogs. For example, the system tracks dogs
reactions. The information that the Dog Canine System captures assists in the development of
the behavioral research in captive and wild animal populations. This growing body of scientific
investigation expands the understanding of basic principles underlying animal behavior relative
to biology, psychology, ecology, and natural history. As scientific research reveals increasing
detail about the mechanisms influencing and driving animal behavior, the ability to appropriately
manage and enhance the captive animal experience is opened to more possibilities and options
including the area of animal well-being.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (i) The agency collects and
maintains animal behavior records for dogs.
(ii) The data is collected to automate the collection of animal behavior information about dogs.
Information will be used to generate reports on the pattern of the behavior of dogs.
(iii) The Dog Canine System does not collect, maintain or disseminate PII information.
(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS DSR net [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 9/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Diagnostic Service Request
(DSR) net [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James S. Crowell Jr. (301) 496-
7049
10. Provide an overview of the system: Diagnostic Service Request (DSR) net system is used
to collect and record data from various veterinary diagnostic laboratories (bacteriology,
pathology, etc.) and format reports for transmission to facility veterinarians and investigators.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (i) The agency collects and
records data from various veterinary diagnostic laboratories (bacteriology, pathology, etc.) (e.g
animal pathology records).
(ii) The data is collected and used to format reports for transmission to facility veterinarians and
investigators. Information will be used to generate reports.
(iii) The system does not collect, maintain or disseminate PII information.
(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/10/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Ludlum Radiation
Sensors [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Ludlum Radiation Sensors
[System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Andrew Cabot (301) 496-5774
10. Provide an overview of the system: The Ludlum Radiation Sensors System is a system of 4
portal monitors at the Building 10 B2 Loading Dock. These detectors will sound an alarm (and
send an email to a handful of people) whenever a level of radiation is detected passing through
the portals - usually by housekeeping carts on their way to the dumpsters at the dock. There are
4 potential doorways through which housekeeping pushes their waste carts, so they installed a
monitoring system at each one and they have unique names to identify which one is tripped. A
local alarm sounds and an email is sent to the Division of Radiation Safety (DRS) personnel in
Building 21, so they can immediately check the camera view and see what is going on. Or, if
over the weekend and the incident is long gone, DRS personnel can match date/time of the alarm
by using the email information, and match up to camera views using the playback feature. The
hope here is to stop a bag of trash that contains something radioactive, before it reaches the
dumpster (and therefore off campus to the solid waste transfer station). Housekeeping is able to
know (from the alarm) to hold that bag of waste instead of dumping it, and Radiation Safety is
able to know (from the email alert) that an event happened, so they can go look for the bag of
waste and take possession of it for disposal.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) Date, time, location, and
level of radiation detected
(2) Monitoring of Solid Waste
(3) No PII
(4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS MAXIMO
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3305-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): Maximo
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Ken Deng
10. Provide an overview of the system: The MAXIMO system tracks work orders, equipment
information, stock room items, purchase/rental equipment and billing information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The systems collects contact
information for individuals that requests a work order(s). We collect only the requesters name,
phone, building, room and email address. All are public information and the information is used
only to identify the requester; the technician needs the information to locate the customer and the
equipment. The name and office phone number are mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS NIH Foreign National
Information System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 6/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3341-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0140
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH ORS NIH Foreign National
Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Candelario Zapata
10. Provide an overview of the system: The NIH Foreign National Information System
(NFNIS) will be a central storage database hosting NIH Foreign National immigration status
information. The NFNIS will store Personally Identifiable Information (full name, home address,
and telephone numbers) of all NIH Foreign Nationals working at NIH institutes and centers, and
although foreign nationals are not subject to Privacy Act requirements, the system also stores
emergency contact and dependent information which could entail PII for US Citizens. The
NFNIS supports the mission of the Division of International Services (DIS) by ensuring that the
NIH maintains compliance with all applicable U.S. immigration laws governing and/or
regulating their stay in the United States set forth by the U.S. Department of Homeland Security
(DHS), the U.S. Department of State, the U.S. Department of Labor, and other government
agencies pertaining to the foreign researchers, scholars, and staff. The NFNIS helps meet these
reporting requirements for international student/scholar by helping track, manage and report
international scholars to the various government agencies. Using the NFNIS ensures that DIS can
maintain Student and Exchange Visitor Information System (SEVIS) compliance, while
increasing overall productivity in its other areas of responsibility.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The NFNIS will store Personally Identifiable Information (full name, home address, and
telephone numbers) of all NIH Foreign Nationals working at NIH institutes and centers, and
although foreign nationals are not subject to Privacy Act requirements, the system also stores
emergency contact and dependent information which could entail PII for US Citizens.
Additionally, this information system may store PII for foreign nationals that apply for and
receive US citizenship. NFNIS provides manual uploads of the data base to the U.S. Department
of Homeland Security (DHS), Customs and Boarder Protection (CBP) Student and Exchange
Visitor Information System (SEVIS) to meet U.S. immigration law reporting requirements.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Information that agencies
collect is primarily related to foreign nationals. Information collected contains PII and
submission is mandatory. This information is necessary to document the individual’s presence at
the NIH, to record immigration history of the individual in order to verify continued eligibility in
NIH research programs, and to meet requirements in the code of Federal Regulations (8 CFR,
Aliens and Nationality, and 22 CFR, Foreign Relations) and other applicable immigration laws,
including Public Law 107-173, Enhanced Border Security and Visa Entry Reform Act of 2002
and Public Law 107-56, USA PATRIOT ACT.
Information Collected includes the following:
Name
Date of Birth
Social Security Number
Personal Mailing Address
Personal Phone Number
Personal Email Address
Education Records
Employement Status
NIH Immigration History
Office Case Number
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) IIF is collected by the NIH administrative or personnel
offices. The IIF collected only pertains to foreign nationals. That information is then sent to the
DIS to request immigration assistance. Based on the IIF collected by the IC, the DIS issues the
appropriate immigration document and sends it to the individual foreign scientist. The
immigration document itself contains notification and consent information. By signing and/or
using the immigration document, the foreign scientist automatically consents by using the
immigration document to enter the U.S. Different federal agencies (including the Department of
Homeland Security and Department of State) issue Federal Register notices when major changes
to data collection occur, such as with the USA PATRIOT ACT (Public Law 107-56).
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The application is protected through the use
of security controls implemented by CIT, ORS and the Application Hosting Environment (AHE).
These controls include intrusion detection systems as well as firewalls. The application is also
hosted by ORS which helps to secure the information being stored in the AHE who handles all
physical controls of the information system. The NFNIS System Security Plan documents all
administrative, technical, and physical security controls that are inplace to protect the PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS NIH Physical Access
Control [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3354-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0054
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH ORS NIH Physical Access Control
[System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Alex Salah
10. Provide an overview of the system: The NIH Physical Access Control System has two
major functions. First, it is responsible for processing information required to issue badges (also
known as legacy badges) to NIH patients, volunteers, retirees, extended visitors, special
government employees (NIH board members), service providers, NIH Credit Union employees,
cafeteria workers, blood donors, FDA tenants, tenants, and summer students. In addition to
issuing legacy badges, the NIH Physical Access Control System also maintains information for
these legacy badges that are issued as well as badging information for NIH employees,
contractors, and affiliates. The second function of the NIH Physical Access Control System is
it’s the access control system for physical access to NIH facilities. This includes access through
the perimeter fence at the Bethesda, MD campus and RML Montana, as well as access to
buildings and rooms throughout the NIH enclave.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Reference SORN # 09-25-0054. Disclosure to congressional office in response to a
congressional inquiry. To law enforcement officers when there is an indication of violation or
potential violation of law. In the event of litigation when the defendant is the Department or
employee of the Department acting in his/her official capacity.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: See SORN # 09-25-0054 for
details. Records on NIH patients, volunteers, retirees, extended visitors, special government
employees (NIH board members), service providers, NIH Credit Union employees, cafeteria
workers, blood donors, FDA tenants, tenants, summer students, and employees and contractors
of NIH who are issued card keys are maintained in the system. IIF data including name, work
address, and photo, and are maintained in the system. Submission of this information is
voluntary. However, failure to voluntarily provide the information could impact employment
opportunities within NIH facilities.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) This process is interactive with NIH patients,
volunteers, retirees, extended visitors, special government employees (NIH board members),
service providers, NIH Credit Union employees, cafeteria workers, blood donors, FDA tenants,
tenants, summer students, and employees/contractors at NIH. The information collected is with
full acknowledgment of the individual. Notification of major system changes regarding data use
and/or disclosure would come through modification of Privacy Act Statements and a required
revision of the SORN # 09-25-0054. An email request is planned for use to obtain individual
consent. As such the NIH global email system is in place and capable of reaching NIH badge
holders.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system Security Assessment and
Authorization (SA&A) package. Some of the major controls that help to secure the IIF are
firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based
access. For physical protection, the NIH campus is protected by guards and police, in addition
the server itself is kept behind locked door. Administratively procedures are in place to only
allow individuals’ job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Parking and
Transhare System (PARTS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3328-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): SOR# 09-25-0167
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Parking and Transhare System(PARTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Thomas Hayden
10. Provide an overview of the system: PARTS is the system that manages enrollment in NIH
Transportation programs, including the parking enrollment system and the public transportation
subsidy distribution system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The system shares information with individuals within the Division of Amenities and
Transportation Services, Division of Police, and the Division of Employee Services for the
purpose of providing transportation services to NIH. Per SOR #09-25-0167,
Disclosure may be made to a congressional office from the record of an individual in response to
an inquiry from the congressional office made at the request of that individual.
The Department of Health and Human Services (HHS) may disclose information from this
system of records to the Department of Justice, or to a court or other tribunal, when (a) HHS, or
any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS
employee in his or her individual capacity where the Department of Justice (or HHS, where it is
authorized to do so) has agreed to represent the employee; or (d) the United States or any agency
thereof where HHS determines that the litigation is likely to affect HHS or any of its
components, is a party to litigation, and HHS determines that the use of such records by the
Department of Justice, court or other tribunal is relevant and necessary to the litigation and
would help in the effective representation of the governmental party, provided, however, that in
each case HHS determines that such disclosure is compatible with the purpose for which the
records were collected.
NIH may disclose applicant's name, unique computer identification number, NIH TRANSHARE
commuter card number, and type of participant's fare media to be disbursed to cashiers of the
Recreation and Welfare Association of the National Institutes of Health, Inc. (R&W Association)
who are responsible for distribution of fare media. Cashiers are required to maintain Privacy Act
safeguards with respect to such records.
Disclosure may be made to organizations deemed qualified by the Secretary to carry out quality
assessments or utilization review.
NIH may disclose statistical reports containing information from this system of records to city,
county, State, and Federal Government
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system shares
information with individuals within the Division Amenities and Transportation Services,
Division of Police, and the Division of Employee Services for the purpose of providing
transportation services to NIH. PARTS collects, maintains, or disseminates the following
information: name, NIH identifier, and work location information (from the NIH Directory); and
vehicle, parking permit, facial image, and commuting information. The information contains the
NIH UID (identifier) from the NIH Enterprise Directory (NED). Personal NED and vehicle
information is mandatory if Transportation privileges are requested by the individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There currently are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals with job related necessity to
access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Physical Intrusion
Detection System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Physical Intrusion Detection
System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Louis Klepitch (301) 402-6397
10. Provide an overview of the system: The Physical Intrusion Detection System (PIDS)
provides covert intrusion detection and duress alarming through panels installed at variations
locations,
including high security facilities, money and pharmaceutical handling areas, document
storage areas and irradiators. PIDS alarms are transmitted to a Bosch Security Systems head-end
receiver located in the NIH Emergency Communication Center (ECC). The PIDS is maintained,
through a maintenance contract, by ASG. All PIDS panels reside on the Facilities Network
(FACnet). One panel, responsible for monitoring the 5RC location, also has telephone alarm
capability.
PIDS has an internal interconnection with the Radiation Monitoring System (RMS). Certain
RMS alarms are pushed to the PIDS via the FACnet by way of a hard wired connection.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
PIDS does not collect, maintain or otherwise disseminate Personally Identifiable Information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: 1) PIDS collects alarm data
(time, location, zone) generated and transmitted by the Bosch Security Panels located throughout
the NIH Betheda campus, Rockville (Twinbrook II and Research Court) and Baltimore
(Boimedical Research Center); 2) PIDS collects the information to allow for dispatchers to
quickly initiate a response to the alarm from a central location; 3) and 4) PIDS does not collect,
maintain or otherwie store PII or personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) PIDS does not collect, maintain or otherwise
disseminate Personally Identifiable Information.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: PIDS does not collect, maintain or
otherwise disseminate Personally Identifiable Information.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Point of Sale System
(POS)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3323-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Point of Sale System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Crawford
10. Provide an overview of the system: The POS system provides the functionality for
maintaining records of cashier functions and cafeteria purchases. The system handles cash
exchanges, but does not deal with any credit card transactions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This system does not deal with any IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency processes
purchase information to complete the sale of items on the NIH campus. The Division of
Employee Services will view individual transactions made in the retail and food service
operations not transactions by individuals. There is no specific personal data on individuals that
will be collected. These transactions are simple cash/credit card transactions handled at typical
retail and food service operations. Howeve the credit card portion is done externally to this
system. The quantitative measure of these transactions will be used for analysis and gathering of
trends to better give us a snap shot of what our customers are purchasing, how much is being
purchased, and what services we can provide to maximize customer satisfaction. Submission of
personal information by customers is not required to gather transaction data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None; since we are only using this as an automated
cash register system. There would be no circumstances where personal information about
anyone would be required for use of the system and to make transactions on the system. No
individual would have to consent to provide personal data. The data that would be collected
would be financial transactions and are not tied to any one individual.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, the NIH campus is
protected by guards and police, in addition the server itself is kept behind locked door.
Administratively procedures are in place to only allow individuals job related necessity to access
IIF.
Administration of this system is currently be researched by ORS IT to relocate server to building
13 under the umbrella of the ORS server team. System access is password protected and can
only be accessed via specific passwords. Once again the server does not store any personal data
on individuals and only certain individuals will have access to the server.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Radiation Safety
Comprehensive Database [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3314-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0166
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Radiation Safety Comprehensive Database
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Nancy Newman
10. Provide an overview of the system: The Radiation Safety Comprehensive Database System
(RSCDS) supports the NIH Radiation Safety Program and its information and record keeping
needs. As a multiple licensee of the U.S. Nuclear Regulatory Commission, the NIH Program is
required to maintain extensive detailed records on the use of licensed radioactive materials and
on the training, performance and radiation exposure of employees, as well as radiation exposure
of research patients, visitors and the public. The RSCDS is an essential tool for efficiently
facilitating these information collection, storage and retrieval needs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Per SOR# 09-25-0166, Routine uses of Record:
Disclosure may be made to a congressional office from the record of an individual in response to
an inquiry from the congressional office made at the request of that individual.
Disclosure may be made to the Department of Justice or to a court or other tribunal from this
system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or
her official capacity; or (c) any HHS employee in his or her individual capacity where the
Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the
employee; or (d) the United States of any agency thereof where HHS determines that the
litigation is likely to affect HHS or any of its components, is a party to litigation or has an
interest in such litigation, and HHS determines that the use of such records by the Department of
Justice, court or other tribunal is relevant and necessary to the litigation and would help in the
effective representation of the governmental party, provided, however, that in each case HHS
determines that such disclosure is compatible with the purpose for which the records were
collected.
Disclosure may be made to contractors for the purpose of processing or refining the records.
Contracted services may include monitoring, testing, sampling, surveying, evaluating,
transcription, collation, computer input, and other records processing. The contractor shall be
required to maintain Privacy Act safeguards with respect to such records.
Disclosure may be made to: a) officials of the United States Nuclear Regulatory Commission
which, by Federal regulation, licenses, inspects and enforces the regulations governing the use of
radioactive materials; and b) OSHA, which provides oversight to ensure that safe and healthful
work conditions are maintained for employees. Disclosure will also be permitted to other Federal
and/or State agencies which may establish health and safety requirements or standards.
Radiation exposure and/or training and experience history may be transferred to new employer.
A record may be disclosed for a research purpose, when the Department: (A) has determined that
the use or disclosure does not violate legal or policy limitations under which the record was
provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be
reasonably accomplished unless the record is provided in individually identifiable form, and (2)
warrants the risk to the privacy of the individual that additional exposure of the record might
bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and
physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or
destroy the information that identifies the individual at the earliest time at which removal or
destruction can be accomplished consistent with the purpose of the research project, unless the
recipient has presented adequate justification of a research or health nature for retaining such
information, and (3) make no further use or disclosure of the record except (a) in emergency
circumstances affecting the health or safety of any individual, (b) for use in another research
project, under these same conditions, and with written authorization of the Department, (c) for
disclosure to a properly identified person for the purpose of an audit related to the research
project, if information that would enable research subjects to be identified is removed or
destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when
required by law; (D) has secured a written statement attesting to the recipient's understanding of,
and willingness to abide by these provisions.
from the congressional office made at the request of that individual.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The Radiation Safety
Database System tracks exposure badges, compliance surveys, radioactive isotopes, radiation
sources, radioactive waste disposal, and radioactive waste discharges (WSSC). In addition the
Radiation Safety System tracks the location of radioactive materials and the personnel who are
permitted to work with those materials. Personal information collected are Name, NIH
Employee ID number, Date of Birth, SSN, work location(s), work mailing address, IC affiliation,
work phone number and work email address.
This information is collected for employees, researchers, contractors and any other appointment
types that could use or have exposure to radioactive materials. This information is mandatory to
operate a Radiation Safety Program which is in compliance with U.S. Nuclear Regulatory
Commission licenses, regulations and the regulations of the Occupational Safety and Health
Administration, DOL and to protect the health and safety of NIH personnel, patients, visitors and
the general public.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Database server is kept in secured video
monitored room in a secured building. Database network-wise is kept behind 3 firewalls (NIH
firewall, Building 21 firewall and database firewall) . Access to data in the database is through
database accounts which are password protected. Depending on the type of IIF and users job
duties users are given database roles to manage access. Only DBA and Developers are given
direct access to database from designated clients in the network. Data transmitted between clients
and database is encrypted using FIPS –level 2 standards. PI data is encrypted using Oracle’s
Advance Security Transparent Data Encryption.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Radiological
Monitoring System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 5/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Radiological Monitoring System
[System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Cathy Ribaudo
10. Provide an overview of the system: Irradiator room remote monitoring system
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the
agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (i) The agency collects
information to provide 24/7 monitoring of all rooms at NIH containing research equipment
that is managed by Radiation safety, including real-time measurements of radiation levels,
camera views, and alarm logs.
(ii) The data is collected to automate tasks within the Division, including real-time measurements
of radiation levels. Information will be used to generate reports.
(iii) The system does not collect, maintain or disseminate PII information.
(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS ScheduAll
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3334-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): #09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): ScheduALL
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Shauna Everett
10. Provide an overview of the system: Resource scheduling and business management
software designed to handle the conference services, multimedia services, and medical arts
services needs of the NIH/ORS/Division of Medical Arts.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Information is not shared outside the Division of Medical Arts (DMA). Reference SOR #09-25-
0106. This information is further addressed in the NIH Privacy Act Systems of Record Notice
09-25-0106, published in the Federal Register, Volume 67, No. 187, September 26, 2002
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This system records contact
information for those individuals that request services managed by DMA. The IIF information
will be used to reserve services and for correspondence to confirm bookings. The limited IIF
that is captured is mandatory for booking and reservation services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There are none
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is protected by a number of
different controls that can be viewed in detail in the system C&A package. Some of the major
controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user
names and passwords, and role based access. For physical protection, guards and police protect
the NIH campus; in addition, the server itself is behind a locked door. Administratively
procedures are in place to only allow individuals job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Send Word Now
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3352-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Send Word Now
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: James Stringfellow
10. Provide an overview of the system: Send Word Now is a two-way messaging system used
to notify various contact points during an emergency or event, it is web based/ hosted with the
master account maintained by DEPC.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
This is a system that will be utilized by the NIH and not by our division alone.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: First, last name, Building,
IC, Room, Gov’t and personal Mobile, land, blackberry devices, email, SMS, pager, and all
personal information is voluntarily given. Gov’t information (email, telephone) will
automatically be passed to system from NED.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Individual ICs who utilize this system are responsible
to notify and obtain consent from individuals when changes occur. The ICs are notified when
changes do occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The Send Word Now service is architected,
designed, and implemented to be highly secure. Send Word Now utilizes a “defense in depth”
strategy that provides, where feasible, multiple levels of defense. All traffic to and from the Web
interfaces to the SWN Application is encrypted using 128-bit SSL encryption. Additionally, the
redundant Cisco firewalls block all but the necessary categories of traffic entering a service
complex. These firewalls also provide basic intrusion detection, cutting off suspicious traffic and
providing real-time alerts to SWN service Operations personnel. As discussed in Q49, role-based
access to sensitive data is provided only-as-needed to the appropriate employees.
Send Word Now SWN’s service complexes provide extensive physical security. Onsite security
guards are present 24/7, supplementing both indoor and outdoor security monitoring. Access to a
facility requires a Hosting Facility photo ID badge and inclusion on the list of authorized
personnel for that facility. Biometric hand scans and pulse detection are required for entry to a
facility; they limit hosting customers from moving from one co-location area to another within
the facility. Hosting customers are escorted to their areas. Closed circuit cameras monitor and
record every area within the facilities. Customer equipment resides in locked cages and/or locked
cabinets. The hosting provider keeps all keys to cages and cabinets; customers do not have
copies of the keys. As a result, only SWN personnel have either physical or logical access to
Send Word Now resources.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS STARS
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH OD/ORS Safe Techniques Advance
Research (STAR)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Suzanne Krall
10. Provide an overview of the system: STARS is a website which allows downloading of a
laboratory safety training tool that was designed on a game based platform. Also downloadable
from the site is a teacher’s guide. The Division of Occupational Health and Safety (DOHS),
National Institutes of Health (NIH) recognizes that safe laboratory techniques are essential to
scientific research. In an effort to increase safety awareness and motivate students to work safely
in the laboratory, STAR-LITE was developed. Keeping our audience in mind, we realize that the
most effective methods to teach students are interactive, realistic and engaging. Furthermore,
computers, internet and videogames are part of students’ daily activities. By keeping these two
concepts in mind, the DOHS, designed an interactive computer-based laboratory safety training
program for high school students and undergraduate university students. The program
incorporates common features, for example, selection of an individualized character; first-person
views; and three-dimensional graphics. This method of instruction integrates visualization of
consequences, e.g., slips/trips/falls, inhalation of chemical hazards, spills of biohazardous
liquids, development of critical-thinking proficiencies, and application of problem-solving skills.
Additionally, the website contains a “contact us” section which allows users to send email to
DOHS via the website.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) No personal information
is collected from those who download the game type training program, but personal email and
name have the potential of being collected by those who wish to contact us with comments or
questions. (2) The information will only be used to respond to inquiries received from users of
the training program. (3) The information on the website does not contain PII, but has the
potential to carry personal email and name and (4) Submission of the information is voluntary if
persons have questions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) There is no formal process in place since we are not
actively collecting PII, but any form of notification is provided when a user downloads the
training program. The website has an electronic privacy notice for all visitors to the web page to
view and there is also a notice on the contact page that advised that the email address provided
will be confidential. Consent is obtained when a visitor submits their information and question
through the "contact us" screen.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Administrative: user manual and training
Technical: Password, VPN and user password
Physical: N/A since the system is web based
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Supervisory Control
And Data Acquisition - 33 [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Supervisory Control and Data
Acquisition - 33 [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Eric Jarvis
10. Provide an overview of the system: The Supervisory Control and Data Acquisition –
Building 33 (SCADA 33) system is an integrated, complex system providing control of the
electrical power to Building 33, including the emergency generator and critical infrastructure.
SCADA 33 is comprised of two workstations and two redundant SQL database servers. The
main application installed on the workstations is called SIMATIC WinCC version 7.0. The
SCADA 33 system’s major functions are to monitor, report, and manage the power systems in
Building 33. SCADA 33 is a true SCADA system as it has the ability to control some of the
power distribution functionality within Building 33. Additionally, SCADA 33 is capable of
handling the switch to emergency power in the event of a power failure.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) This system collects -
data (continuously) on power, volts, amps, and any outage conditions.
(2) The data is collected for the purposes of monitoring, reporting, and managing the power
systems in Building 33.
(3) There is no PII contained within the system.
(4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/22/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Supervisory Control
And Data Acquisition [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision:
1. Date of this Submission: 8/21/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH ORS Supervisory Control and Data
Acquisition (SCADA)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: John Conlon
10. Provide an overview of the system: The Supervisory Control and Data Acquisition –
Telvent (SCADA) system is a major application within the Office of Research Facilities. The
Campus wide SCADA system monitors the status of transformer network protectors, transformer
temperature and pressure, Uninterruptible Power Supply (UPS) status, main circuit breakers on
480 V distribution boards, and the tie breakers on 480 V distribution boards. The SCADA
system collects data continuously for power, volts, amps, and any outage conditions. The
SCADA system also reports on the power feeders coming into each of the NIH owned buildings
on and off campus.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: (1) This system collects -
data (continuously) for power, volts, amps, and any outage conditions. The SCADA system also
reports on the power feeders coming into each of the NIH owned buildings on and off campus.
(2) The Campus wide SCADA system monitors the status of transformer network protectors,
transformer temperature and pressure, Uninterruptible Power Supply (UPS) status, main circuit
breakers on 480 V distribution boards, and the tie breakers on 480 V distribution boards.
(3) No PII is collected, maintained or disseminated.
(4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
06.3 HHS PIA Summary for Posting (Form) / NIH ORS Visitor Badging
System [System]
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011?
If this is an existing PIA, please provide a reason for revision: Commercial Sources
1. Date of this Submission: 9/13/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3354-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0054
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Visitor Badging System
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Major Patricia Haynes
10. Provide an overview of the system: The Visitor Badging System application acts as a
badge issuance system for visitors to the NIH Bethesda campus. When a visitor arrives on
campus, their IDs are scanned into the system as an image file; the image along with other
Information in Identifiable Form (IIF) are stored in a back-end Oracle database; identity of the
individual is validated through a photo on ID; name and photo of the visitor is checked against a
"Do Not Admit/No Entry" list; once approved, the visitor is issued a temporary badge.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
Disclosure may be made to a congressional office from the record of an individual in response to
an inquiry from the congressional office made at the request of that individual.
In the event that a system of records maintained by this agency to carry out its functions
indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature,
and whether arising by general statute or particular program statute, or by regulation, rule or
order issued pursuant thereto, the relevant records in the system of records may be referred, as a
routine use, to the appropriate agency, whether Federal, or foreign, charged with the
responsibility of investigating or prosecuting such violation or charged with enforcing or
implementing the statute, or rule, regulation or order issued pursuant thereto
In the event of litigation where the defendant is (a) the Department, any component of the
Department, or any employee of the Department in his or her official capacity; (b) the United
States where the Department determines that the claim, if successful, is likely to directly affect
the operations of the Department or any of its components; or (c) any Department employee in
his or her individual capacity where the Justice Department has agreed to represent such
employee, the Department may disclose such records as it deems desirable or necessary to the
Department of Justice to enable that Department to present an effective defense, provided that
such disclosure is compatible with the purpose for which the records were collected.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The system collects
information that is stored on a normal form of identification. That could include Name, address,
place of birth, birthdate, passport number, license number, photo identification, as well as other
identification type info. Collection of personal information is mandatory based on NIH ORS
SER DP Policy and Procedures.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Write to the System Manager to determine if a record
exists. The requester must also verify his or her identity by providing either a notarization of the
request or a written certification that the requester is who he or she claims to be and understands
that the knowing and willful request for acquisition of a record pertaining to an individual under
false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine. The
system records visitors to the NIH; there is no mechanism in place to notify these people when a
major upgrade to the system occurs; in this case, due to the purpose of this application, it should
be exempt from the aforementioned requirement; individuals are providing the IIF, at the time of
visitor registration - therefore, they do not need to be informed as to the information that is being
collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The system is located on a separate VLAN
of a secure NIH network. The network is protected by firewall and IDS devices. Only
authorized individuals are allowed access to the system both physically and remotely.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: <<Date approved for Web Publishing>>
_____________________________________________________________________________
