Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Centers for Disease Control - Page 5

Back to Privacy Impact Assessments page

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - External - NCIPC SharePoint Collection (MOSS-E-NCIPC) [SYSTEM] 
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/1/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 2028
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services - External - NCIPC SharePoint Collection (MOSS-E-NCIPC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Darryl Owens
10. Provide an overview of the system:  MOSS-E-NCIPC is a web-based system that will be used by the National Center for Injury Prevention and Control (NCIPC) and its offices, divisions, and branches to ensure the proper management and record keeping of files, to create backups through versioning of files, to reduce the number of manual communications, to serve as part of the NCIPC Extranet, and to share news and information with partners and staff through a common forum.  These activities ensure that NCIPC operations are better streamlined and positioned to offer aid to partners in support of the CDC mission.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  MOSS-E-NCIPC does not contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) MOSS-E-NCIPC will collect and maintain non-sensitive information and news in files, wikis and blogs. 
(2) The National Center for Injury Prevention and Control (NCIPC) and its offices, divisions, and branches will use MOSS-E-NCIPC to ensure the proper management and record keeping of files, to create backups through versioning of files, to reduce the number of manual communications, to serve as part of the NCIPC Extranet, and to share news and information with partners and staff through a common forum
(3) MOSS-E-NCIPC does not contain PII.
(4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  MOSS-E-NCIPC does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  MOSS-E-NCIPC does not contain PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  12/1/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services – External – SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-E-SPOCK) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  2/23/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services – External – SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-E-SPOCK)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Yolandita Jackson-James
10. Provide an overview of the system:  This system will help all of OSELS improve organizational effectiveness by enhancing collaboration,
strengthening knowledge management access and control, accelerating business processes, and facilitating strategic decision-making.
MOSS-E-SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-E-SPOCK) supports this purpose by providing users a single, integrated location offering employees the following services:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications
o   Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  MOSS-E-SPOCK is primarily used as a document library and collaboration tool.  Information to be contained in this system will represent no more than federal contact data.  The document types that will be stored are as follows:
Non-sensitive general business procedures, guidance materials, and presentation files
Partner meeting agendas and minutes
Partner education and orientation manuals
Business document templates
Medical article and periodical compilations
The information to be contained in the system will be used to facilitate partner project organizational coordination and improve partner project/program management effectiveness.
The information to be contained in the system does not contain PII.
The system warns against and prohibits submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The system warns against and prohibits submission of personal information.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system does not contain PII. The system implements appropriate controls from NIST SP 800-53 to ensure the security of any and all information in the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  2/23/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - External (MOSS-E) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/8/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services – External (MOSS-E)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Chad McCown
10. Provide an overview of the system:  This system provides the infrastructure for the CDC implentation of Microsoft SharePoint Services - External.  This system provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.
•        Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
•        Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
•        Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
•        Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
•        Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
•        Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
This system supports the production Site Collections and Sites for the C/I/Os of the CDC.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A

No IIF Collected
E-Authentication Assurance Level = (1) Low
Risk analysis Date = 11/08/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  12/9/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - External-NCEZID (MOSS-E-NCEZID) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/31/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services-External-NCEZID (MOSS-External-NCEZID)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ted Pestorius
10. Provide an overview of the system:  The primary function of this system is the provide CDC staff a means to collaborate with external partners. The external sites are isolated from internal resources.  Another primary function of the external SharePoint site is to replace SiteScape.
MOSS –External-NCEZID  supports this purpose by providing users a single, integrated location offering employees the following:

o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)documentation 2) Storage 3) N/A 4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  8/31/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - Internal - OSTLTS SharePoint Collection (MOSS-I-OSTLTS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/26/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  NA
5. OMB Information Collection Approval Number:  NA
6. Other Identifying Number(s):  NA
7. System Name (Align with system Item name):  MOSS-I-OSTLTS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Karen Resha
10. Provide an overview of the system:  MOSS-E-OSTLTS is  a web-based system that will be used by the Office for State, Tribal, Local and Territorial Support (OSTLTS), its offices, divisions, branches, and teams to communicate and collaborate with our partners including, but not limited to:
State, tribal, local, and territorial public health department and agency staff (STLTs)
Non-governmental organizational partners such as NACCHO, ASTHO, NALBOH, NPHIC, etc.
Grantees
CDC field staff
College and university faculty and staff
Other Federal agencies
All of the activities housed within this system will allow OSTLTS operations to become more streamlined and positioned to offer aid to our partners in support of the CDC mission.
MOSS-E-OSTLTS supports this purpose by providing users a single, integrated location offering employees the following:
Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No PII
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No PII
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  7/26/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services – Internal (MOSS-I) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/30/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 620
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services – Internal (MOSS-I)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Judith Kenny /  Sandra Chapman
10. Provide an overview of the system:  MOSS-I provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.
·      Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
·      Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
·      Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
·      Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
·      Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF
Risk Analysis date: 2/16/2010
E-Auth Level = N/A.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L. Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  10/6/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - Internal-NCEZID (MOSS-I-NCEZID) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/27/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1874
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services-Internal-NCEZID (MOSS-I-NCEZID)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Frederick (Ted) Pestorius
10. Provide an overview of the system:  MOSS-I-NCEZID supports this purpose by providing users a single, integrated location offering employees the following:
o        Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o        Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o        Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o        Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o        Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o        Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  10/28/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - Internal-NCHHSTP (MOSS-I-NCHHSTP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/18/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1900
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services-Internal-NCHHSTP (MOSS-I-NCHHSTP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Michael Melneck
10. Provide an overview of the system:  MOSS-I-NCHHSTP supports this purpose by providing users a single, integrated location offering employees the following:
o        Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o        Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o        Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o        Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o        Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o        Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  8/24/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services - Internal-NCHS (MOSS-I-NCHS SSC) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  11/19/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  MOSS-I-NCHS Sharepoint Site Collection (NCHSSSC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Fonda Kornegay
10. Provide an overview of the system:  This system provides the infrastructure and service for the CDC implantation of Microsoft SharePoint services.  This system provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.
• Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
• Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
• Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
• Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
This system supports the SDLC process of Initiation, Development/Acquisition, Implementation, Operations/Maintenance, Disposal of Site Collections and Sites for the C/I/Os of the CDC List user organizations (internal/external) and type of data processing provided.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  The system does not contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) NCHSSSC contains survey data.

(2) NCHSSSC provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.

(3) NCHSSSC contains no PII.

(4) N/A.  NCHSSSC contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  (1)  N/A.  NCHSSSC contains no PII.

(2)  N/A.  NCHSSSC contains no PII.

(3)  N/A.  NCHSSSC contains no PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information will be secured using Active Directory access control lists
PII = No
Risk Analysis Date: 09/24/2010
E-Auth Level = NA
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Maden
Sign-off Date:  11/30/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services-External-NCHHSTP (MOSS-X-NCHHSTP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/9/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services-External-NCHHSTP (MOSS-X-NCHHSTP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Doug Correll
10. Provide an overview of the system:  MOSS-X-NCHHSTP is a system that provides a single, integrated location where CDC programs and public health partners can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informd decision:
o        Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o        Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o        Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o        Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o        Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make better informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)   documentation 2) Storage 3) N/A 4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  8/9/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services-Internal-NCIPC SharePoint Collection (MOSS-I-NCIPC) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  4/27/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services - Internal - NCIPC SharePoint Collection
(MOSS-I-NCIPC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Karen Resha
10. Provide an overview of the system:  MOSS-I-NCIPC is a SharePoint instance that will be used by the National Center for Injury Prevention and Control (NCIPC) and its offices, divisions, and branches to ensure the proper management and record keeping of files, to create backups through versioning of files, to reduce the number of manual communications, to serve as a collaboration tool, and to share news and information with staff through a common forum.  These activities ensure that NCIPC operations are better streamlined and positioned to offer aid to partners, state, and local agencies in support of the CDC mission.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  The system does not contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A.  The system does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  The system does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  The system does not contain PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  4/27/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Microsoft Office SharePoint Services-Internal-SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-I-SPOCK) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/20/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1848
7. System Name (Align with system Item name):  Microsoft Office SharePoint Services – Internal – SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-I-SPOCK)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Yolandita Jackson-James
10. Provide an overview of the system:  This system will help all of OSELS improve organizational effectiveness by enhancing collaboration,
strengthening knowledge management access and control, accelerating business processes, and facilitating strategic decision-making.
MOSS-I-SharePoint Portal for OSELS Collaboration and Knowledgebase (MOSS-I-SPOCK) supports this purpose by providing users a single, integrated location offering employees the following services:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  MOSS-I-SPOCK stores documents that contain PII.  It does not share information.  Access is controlled by authorized personnel using Active Directory.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  MOSS-I-SPOCK is primarily used as a document library and collaboration tool.  The documents that will be stored are:
C&A documents
Vulnerability scans
Business procedures, guidance materials, and presentation files
Meeting agendas and minutes
Internal informatics governance and budget plans
Change management process materials
Business continuity documents
Staff education and orientation manuals
Business document templates
Medical article and periodical compilations
Resumes and application forms
The information to be contained in the system will be used to facilitate organizational coordination and improve project/program management effectiveness.
The information to be contained in the system does contain PII.
MOSS-I-SPOCK is only a repository to store documents.  Each Program that applies for a SharePoint site is responsible for notifying individuals about the PII they collect.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  MOSS-I-SPOCK is only a repository to store documents.  Each Program that applies for a SharePoint site is responsible for notifying individuals about the PII they collect.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  MOSS-I-SPOCK has been authorized to operate and undergoes annual requirements that meet the Federal guidelines.  The infrastructure has also been authorized to operate by the CDC Information Technology Services Office and meets the security controls outlined in the NIST 800-53 Rev 3.  The servers are in a locked room that is only accessible by authorized personnel.  Ingress and egress controls exist to log access to the room.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  

Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  11/3/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-E-NCIRD Site Collection (NSC-External) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/25/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  MOSS-E-NCIRD Site Collection (NSC-External)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  David Walker
10. Provide an overview of the system:  The MOSS-E-NCIRD Site Collection is an extension of the Enterprise SharePoint System for NCIRD. NSC Site will be designed to support the NCIRD Divisions in the areas of project, document and staff management. The system is composed of several intranet sites for each NCIRD Division and an umbrella intranet site for all of NCIRD. The sites will be used by NCIRD employees to manage project documents and schedules, branch staff calendars, and branch-related information. MOSS-E-NCIRD Site Collection will also be used to as a communication vehicle to store Security C&A Packages, Security Annual Assessments, Security documentation, SOP, WIKIs and other security documents. 
MOSS-E-NCIRD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
Ø  Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
Ø  Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
Ø  Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
Ø  Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
Ø  Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The MOSS-E-NCIRD Site Collection is an extension of the Enterprise SharePoint System for NCIRD. NSC Site will be designed to support the NCIRD Divisions in the areas of project, document and staff management. The system is composed of several intranet sites for each NCIRD Division and an umbrella intranet site for all of NCIRD. The sites will be used by NCIRD employees to manage project documents and schedules, branch staff calendars, and branch-related information. MOSS-E-NCIRD Site Collection will also be used to as a communication vehicle to store Security C&A Packages, Security Annual Assessments, Security documentation, SOP, WIKIs and other security documents. 
MOSS-E-NCIRD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
Ø  Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
Ø  Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
Ø  Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
Ø  Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
Ø  Enterprise Search - Quickly and easily find people, expertise, and content in business applications.

Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A – No PII is collected
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  1/25/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-E-OPHPR SharePoint Site Collection (OPHPR E-MOSS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  11/1/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 2038
7. System Name (Align with system Item name):  MOSS-E-OPHPR SharePoint Site Collection (OPHPR E-MOSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Serena Vinter
10. Provide an overview of the system:  OPHPR MOSS is the Site Collection of the Enterprise SharePoint Partner Farm specifically configured for use by OPHPR.  MOSS-E-OPHPR provides users a single, integrated location offering employees the following:
o        Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o        Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o        Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o        Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o        Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o        Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No PII is contained within the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No PII is contained within the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  None
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No PII is contained within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  11/1/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-CDC Enterprise Share Point Portal (CDCESP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/1/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1911
7. System Name (Align with system Item name):  MOSS-I-CDC Enterprise SharePoint Portal (CDCESP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sandy Chapman
10. Provide an overview of the system:  The MOSS-I-CDC Enterprise SharePoint Portal (CDCESP) is a web-based system that serves as the agency-wide access point for information regarding Enterprise Committees, the Enterprise SharePoint governances and the acquisition of SharePoint sites and site collections at CDC.  This site collection site will also host a directory of links to other SharePoint site collections, a catalogue of custom developed SharePoint applications and web parts, a SharePoint Community of Practice web site, and any number of Enterprise Collaboration Services Team (MISO)-developed SharePoint applications and features whose audience spans across CDC organizations, such as the SharePoint Site Collection Request and Request for Planned Changes applications needed to support SharePoint Governance processes.
CDCESP supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence – Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The CDCESP serves as the agency-wide access point for information regarding Enterprise Committees, the Enterprise SharePoint governances and the acquisition of SharePoint sites and site collections at CDC.  This site collection site will also host a directory of links to other SharePoint site collections, a catalogue of custom developed SharePoint applications and web parts, a SharePoint Community of Practice web site, and any number of Enterprise Collaboration Services Team (MISO)-developed SharePoint applications and features whose audience spans across CDC organizations, such as the SharePoint Site Collection Request and Request for Planned Changes applications needed to support SharePoint Governance processes.
CDCESP supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence – Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A – No PII collected
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/7/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-CDCOCOO SharePoint Site Collection (MOSS-I-CDCOCOO) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  4/28/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  MOSS-I-CDCOCOO SharePoint Site Collection (MOSS-I-CDCOCOO)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Carlton Duncan
10. Provide an overview of the system:  The MOSS-I-CDCOCOO SharePoint Site Collection (MOSS-I-CDCOCOO) will support the OCOO Office of the Director (OD) functions, the OCOO communities, OCOO service teams  and IT program mangement and projects.  The MOSS-I-CDCOCOO will host request tracking tools, project team collaboration sites, project management initiatives, common processes, common tools, and common procedures.  It will help to strengthen communication and MOSS-I-CDCOCOO corporate knowledge.
MOSS-I-CDCOCOO supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence – Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  MOSS-I-CDCOCOO supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence – Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
This system does not contain PII and therefore the voluntary or mandatory submission of PII is not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A – No PII collected
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  4/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-CDCOD Site Collection (N/A) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/28/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1831
7. System Name (Align with system Item name):  MOSS-I-CDCOD Site Collection
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Lauren Hoffmann
10. Provide an overview of the system:  MOSS-I-CDCOD Site Collection is a web-based system designed to enhance the CDC’s environmental scanning and forecasting capability.  The CDCOD SharePoint Site Collection will provide a collaborative environment in support of the center’s public health mission.  In an effort to enhance CDC’s ability to better identify and leverage opportunities to promote and protect the Agency and public health, the SharePoint site will serve as an information gateway for forecasting through environmental scanning and the timely sharing and communication of information.  Specifically, the functions that this site will support include:
-          cornerstone of the CDC Forecasting Initiative, including meeting all mandatory environmental scanning reporting requirements from HHS and the White House
-          issues management tracking
-          task tracking
-          CDC Senior Leadership calendar coordination
-          Report and data repository

MOSS-I-CDCOD Site Collection is a web-based system designed to enhance the CDC’s environmental scanning and forecasting capability.

MOSS-I-CDCOD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  MOSS-I-CDCOD Site Collection is a web-based system designed to enhance the CDC’s environmental scanning and forecasting capability.  The CDCOD SharePoint Site Collection will provide a collaborative environment in support of the center’s public health mission.  In an effort to enhance CDC’s ability to better identify and leverage opportunities to promote and protect the Agency and public health, the SharePoint site will serve as an information gateway for forecasting through environmental scanning and the timely sharing and communication of information.  Specifically, the functions that this site will support include:
-          cornerstone of the CDC Forecasting Initiative, including meeting all mandatory environmental scanning reporting requirements from HHS and the White House
-          issues management tracking
-          task tracking
-          CDC Senior Leadership calendar coordination
-          Report and data repository

MOSS-I-CDCOD Site Collection is a web-based system designed to enhance the CDC’s environmental scanning and forecasting capability.

MOSS-I-CDCOD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  12/29/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-CIMS Request for Task Order Processing Module (C-RPM) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/18/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1852
7. System Name (Align with system Item name):  MOSS-I-CIMS Request For Task Order Processing Module (C-RPM)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Alvin Hall
10. Provide an overview of the system:  The CDC is planning to award multiple contracts for information management services, referred to as the CIMS Contract.  The CIMS Contract is a successor to the ongoing CITS-2 contract that is currently being performed by Northrop-Grumman and Lockheed Martin.  The CIMS Contract has greatly increased in complexity and magnitude over its predecessor CITS-2 contract, involving multiple awardees across three (3) separate functional domains and three (3) business categories.  Under CIMS, it is anticipated that CDC may be managing 10-20 competing prime contractors in contrast to the two (2) contractors working under the CITS-2 contract.  This system processes Request For Task Order Proposals (RFTOPs) for the CIMS contract.  A RFTOP is an early stage in the procurement process, issuing an invitation for suppliers, often through a bidding process, to submit a proposal on a specific commodity or service.

The MOSS-I-CIMS Request For Task Order Processing Module (C-RPM) supports and facilitates user registration, RFTOP initiation, collaboration and processing.  The C-RPM system will serve as a front-end management tool that supports and facilitates the implementation of the SharePoint portal solution.  The C-RPM will be customized to incorporate the CIMS task order workflow while providing the platform for a collaborative work environment. 

The C-RPM will serve as a front-end management system to facilitate the “internal” RFTOP workflow, user registration, system administration, collaboration, security, and document management to support the initiation and implementation of CIMS RFTOPs.  The CIMS Contract Management System will automate the (internal / CDC) task ordering processes and workflow that includes capabilities, requirements, features, and functions.  The system will provide a secure portal workspace for each “internal” customer (program), stakeholder, and partner involved in a specific task order process.  The system will provide a secure portal workspace folder (PMO Site) for all task ordering templates, and guides.  The system will be established as a role-based system with access permissions for portal workspaces, each task order workspace and associated work folders/documents.  The system will enable CDC internal stakeholders to collaborate and share documents in preparing RFTOP packages.  The system will provide internal only email alerts on the status of RFTOPs initialed in the system.  The system will conform to the CDC SharePoint platform, standards, and requirements and conform to the products installed in CDC’s Enterprise production/development environments.

The C-RPM is composed of custom webparts and custom workflow s(approved by CDC SharePoint Governance Board), CIMS program sites, and individual CIMS RFTOP sites.  The workflows will be organized into two .Net assemblies:  the NVI.CDC.Workflow.UserAccess.dll and NVI.CDC.Workflow.RFTOPCreation.dll workflow modules.  C-RPM will be used to start the process for new RFTOP’s and allow collaboration on the RFTOP’s before they are sent to PGO for final approval and publishing.

The C-RPM process is as follows.  1)  A program office submits a RFTOP request form on the C-RPM SharePoint site.  2)  The request is reviewed by the CIMS project management office (CPMO).  3)  If the request is approved by the CPMO, then a sub site for this RFTOP is created.  4)  PGO, CPMO, and program office staff use this SharePoint sub site to collaborate on the RFTOP.  5)  RFTOP is finalized and submitted to PGO.  Permissions to each RFTOP site are maintained by the CPMO.

C-RPM will contain several sites:  one CPMO site, a site for each CDC program office, and a site for each RFTOP.  Each program office site will contain a list of links to each RFTOP created.  The program office sites can also be customized using out of the box SharePoint webparts to include office specific RFTOP guidance or artifacts/documentation. 

Note: The C-RPM module is also planned to be incorpo
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The CDC is planning to award multiple contracts for information management services, referred to as the CIMS Contract.  The CIMS Contract is a successor to the ongoing CITS-2 contract that is currently being performed by Northrop-Grumman and Lockheed Martin.  The CIMS Contract has greatly increased in complexity and magnitude over its predecessor CITS-2 contract, involving multiple awardees across three (3) separate functional domains and three (3) business categories.  Under CIMS, it is anticipated that CDC may be managing 10-20 competing prime contractors in contrast to the two (2) contractors working under the CITS-2 contract.  This system processes Request For Task Order Proposals (RFTOPs) for the CIMS contract.  A RFTOP is an early stage in the procurement process, issuing an invitation for suppliers, often through a bidding process, to submit a proposal on a specific commodity or service.

The MOSS-I-CIMS Request For Task Order Processing Module (C-RPM) supports and facilitates user registration, RFTOP initiation, collaboration and processing.  The C-RPM system will serve as a front-end management tool that supports and facilitates the implementation of the SharePoint portal solution.  The C-RPM will be customized to incorporate the CIMS task order workflow while providing the platform for a collaborative work environment. 

The basic C-RPM will serve as a front-end management system to facilitate the “internal” RFTOP workflow, user registration, system administration, collaboration, security, and document management to support the initiation and implementation of CIMS RFTOPs.  The CIMS Contract Management System will automate the (internal / CDC) task ordering processes and workflow that includes capabilities, requirements, features, and functions.  The system will provide a secure portal workspace for each “internal” customer (program), stakeholder, and partner involved in a specific task order process.  The system will provide a secure portal workspace folder (PMO Site) for all task ordering templates, and guides.  The system will be established as a role-based system with access permissions for portal workspaces, each task order workspace and associated work folders/documents.  The system will enable CDC internal stakeholders to collaborate and share documents in preparing RFTOP packages.  The system will provide internal only email alerts on the status of RFTOPs initialed in the system.  The system will conform to the CDC SharePoint platform, standards, and requirements and conform to the products installed in CDC’s Enterprise production/development environments.

The C-RPM is composed of custom webparts and custom workflow s(approved by CDC SharePoint Governance Board), CIMS program sites, and individual CIMS RFTOP sites.  The workflows will be organized into two .Net assemblies:  the NVI.CDC.Workflow.UserAccess.dll and NVI.CDC.Workflow.RFTOPCreation.dll workflow modules.  C-RPM will be used to start the process for new RFTOP’s and allow collaboration on the RFTOP’s before they are sent to PGO for final approval and publishing.

The C-RPM process is as follows.  1)  A program office submits a RFTOP request form on the C-RPM SharePoint site.  2)  The request is reviewed by the CIMS project management office (CPMO).  3)  If the request is approved by the CPMO, then a sub site for this RFTOP is created.  4)  PGO, CPMO, and program office staff use this SharePoint sub site to collaborate on the RFTOP.  5)  RFTOP is finalized and submitted to PGO.  Permissions to each RFTOP site are maintained by the CPMO.

C-RPM will contain several sites:  one CPMO site, a site for each CDC program office, and a site for each RFTOP.  Each program office site will contain a list of links to each RFTOP created.  The program office sites can also be customized using out of the box SharePoint webparts to include office specific RFTOP guidance or artifacts/documentation. 

Note: The C-RPM module is also planned to be i
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A – No PII collected
EAL = N/A
Risk Analysis Date = 01/03/2011
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  1/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-Grants and Contracts Business Analytics (MOSS-I-BABI) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  2/22/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  OGE/GOVT-1
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  MOSS-I-Grants and Contracts Business Analytics (MOSS-I-BABI)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sandy Chapman
10. Provide an overview of the system:  MOSS-I Grants and Contracts Business Analytics (MOSS-I-BABI) is a web-based SharePoint system designed to utilize Microsoft Business Intelligence (BI) technology to apply tools and processes to perform iterative, staff-directed exploration of Procurement and Grants Office’s (PGO) grant data (that will include financial status reports (FSR), commitment and obligation amounts and established key performance indicators (KPIs)).
The MOSS-I-BABI will help the PGO gain insight into staff workload, & grantee performance and will help to predict and improve future trends and workload.  The MOSS-I-BABI Prototype will deliver three sets of outputs based on the grants data.  The data extracted will be presented/delivered to the stakeholders (PGO users for the first phase i.e. for the prototype) using MISO’s SharePoint portal.  MOSS-I-BABI will collect Names of CDC Grant specialists and Financial Account Information regarding staff workload and grantee performance.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The MOSS-I-BABI system will store/disseminate the Financial Account Information for enabling the staff of PGO users to determine staff workload and grantee performance.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  MOSS-I-BABI will store/disseminate Names of CDC Grant specialists and Financial Account Information regarding staff workload and grantee performance.  The PII collected is voluntary although necessary in order to process grant information and is collected at originating CDC systems (i.e. IMPAC II, UFMS, and FOTS).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No there are no processes in place when major changes occur. The data for this system comes from the existing data sources at CDC such as IMPAC II, UFMS, and FOTS(Funding Opportunity Tracking System). Consent is obtained from these originating systems.  Users are advised that their contact and grantee information will be stored for future follow-up inquiries. All users are advised that this information will be stored at the discretion of the user.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative:  Records are maintained according with CDC’s record control schedule and record control policy.  The grantee info is secured using the CDC/IS Active Directory authentication process and role-based application control.

Technical:  Monitored by the Network and IT security controls which administered by OCISO and ITSO.

Physical:  Controls are managed by guards, ID badges, and key card restrictions.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Alan Olson
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  2/22/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-ITSO SharePoint Site Collection (ITSOSP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/30/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1892
7. System Name (Align with system Item name):  MOSS-I-ITSO SharePoint Site Collection (MOSS-ITSOSP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Chare Brown
10. Provide an overview of the system:  The purpose of the MOSS-I-ITSO SharePoint Site Collection is to help improve organizational effectiveness by enhancing collaboration, strengthening knowledge management access and control, accelerating business processes, and facilitating strategic decision-making.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A

No IIF Collected.
E-Authentication Assurance Level = 3
Risk Analysis Date = 09/07/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  10/6/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-MASO SharePoint Site Collection (MOSS-I-MASO) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  3/14/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC System ID: 1958
7. System Name (Align with system Item name):  MOSS-I-MASO SharePoint Site Collection
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  John G. Goodson (hso2)
10. Provide an overview of the system:  The MASO SharePoint site collection will provide a medium for the sharing of documents and projects between MASO offices and members within the CDC community. No PII will be stored within the system. Common data elements and documents will include administrative, financial and project data.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The MASO SharePoint site collection will provide a medium for the sharing of documents and projects between MASO offices and members within the CDC community. No PII will be stored within the system. Common data elements and documents will include administrative, financial and project data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  3/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-MISO SharePoint Collection (MISOSP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/8/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1907
7. System Name (Align with system Item name):  MOSS-I-MISO SharePoint Collection (MISOSP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sandy Chapman
10. Provide an overview of the system:  The MOSS-I-MISO SharePonit Collection (MISOSP) will support the MISO Office of the Director (OD) functions, the MISO communities, MISO service teams  and IT program mangement and projects.  The MISO site collection will host request tracking tools, project team collaboration sites, project management initiatives, common processes, common tools, and common procedures.  It will help to strengthen communication and MISO corporate knowledge.
MISOSP supports this purpose by providing users a single, integrated location offering employees the following:
o   Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
o   Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
o   Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
o   Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
o   Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
o   Business Intelligence – Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The MOSS-I-MISO SharePoint Collection (MISOSP) will support the MISO Office of the Director (OD) functions, the MISO communities, MISO service teams  and IT program mangement and projects.  The information collected will be data relating to services and project management resources. There will be no PII collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII = No
E-Auth Level = N/A
Risk Analysis date 08/31/2010
PIA Approval
PIA Reviewer Approval:  Promote

PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  10/12/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-NCBDDD Internal SharePoint (MOSS-I-NCBDDD) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/19/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0136
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC#  1860
7. System Name (Align with system Item name):  NCBDDD_Internal_Sharepoint
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Andrew Autry
10. Provide an overview of the system:  This is the NCBDDD implementation of Sharepoint.  The purpose of the system is to enable NCBDDD users to share data, collaborate on projects and to create project (and branch) sites for workflow management.  The information processed will include abstracted clinical and school data on birth defects and developmental disabilities, clinical data on blood disorders, clinical data on human development, clinical data on hearing screening, and clinical data on disability. All of the data used on SharePoint will be existing data collected from NCBDDD surveillance systems which have ATOs (Metropolitan Atlanta Congenital Defects Program-CASES and Metropolitan Atlanta Developmental Disabilities Surveillance Program).
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII will be shared among authorized project staff with a “need to know”.  No PII will be shared or disclosed to anyone outside the agency.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.    SharePoint will use data previously collected from MACDP & MADDSP which contains names, last 4 digits of SSN, date of birth, street address, birth certificate and death certificate data.
1)   These data are necessary to identify the child under surveillance so that we can link these children to Special Education database and birth certificates. 
2)   PII is included
3)   PII is collected without consent
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1)   None
2)   None
3)   Data was collected for the MACDP & MADDSP projects. SharePoint will be used to automate manual processes.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  yPII will be secured on the system using the Sharepoint functionality (technical controls) and limiting access to this system to people who have a need to know.  Administratively, all NCBDDD staff handling PII have signed a confidentiality pledge.  The servers are housed at the Chamblee location and access is restricted to authorized personnel (physical controls).
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  8/25/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-NCCDPHP (MOSS-I-NCCDPHP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/28/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1861
7. System Name (Align with system Item name):  MOSS-I-NCCDPHP
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  This system (site collection) will be used as a portal containing sites and sub-sites for the individual organizations within NCCDPHP. NCCDPHP needs include, but are not limited to, the facilitation of internal collaborative efforts on projects and workgroups in programmatic activities and shared document repositories for intranet publishing.  It will be administered by the NCCDPHP Office of Informatics and Information Resources Management (OIIRM).  The initial site collection will be an out-of-the-box stand-up containing placeholders for each Divisions.  The taxonomy will reflect NCCDPHP organizational structure.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)    The system will be comprised of information concerning business processes, programmatic functions, and administrative services
2)    Collaboration
3)    No PII
4)   N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF Collected.
E-Authentication Assurance Level = 2
Risk Analysis Date =8/13/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/29/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-NCEH/ATSDR SharePoint Site Collection (NASSC) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/10/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC# 1819
7. System Name (Align with system Item name):  MOSS-I-NCEH-ATSDR SharePoint Site Collection (NASSC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Carol Waller
10. Provide an overview of the system:  This system provides the infrastructure and service for the CDC implantation of Microsoft SharePoint services.  This system provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.
• Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
• Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
• Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
• Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
This system supports the SDLC process of Initiation, Development/Acquisition, Implementation, Operations/Maintenance, Disposal of Site Collections and Sites for the C/I/Os of the CDC List user organizations (internal/external) and type of data processing provided.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  The system does not contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) NASSC contains survey data.

(2) NASSC provides a single, integrated location where employees can efficiently collaborate with team members, find organizational resources, search for experts and corporate information, manage content and workflow, and leverage business insight to make better-informed decisions.

(3) NASSC contains no PII.

(4) N/A.  NASSC contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  (1)  N/A.  NASSC contains no PII.

(2)  N/A.  NASSC contains no PII.

N/A.  NASSC contains no PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information will be secured using Active Directory access control lists
No IIF
Risk Analysis Date: 05/10/2010
E-Auth Level = NA
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L. Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  8/11/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MOSS-I-NCIRD Site Collection (NCS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/2/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1856
7. System Name (Align with system Item name):  MOSS-I-NCIRD Site Collection
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Joe McDowell
10. Provide an overview of the system:  The MOSS-I-NCIRD Site Collection is an extension of the Enterprise SharePoint System for NCIRD. NSC Site will be designed to support the NCIRD Divisions in the areas of project, document and staff management. The system is composed of several intranet sites for each NCIRD Division and an umbrella intranet site for all of NCIRD. The sites will be used by NCIRD employees to manage project documents and schedules, branch staff calendars, and branch-related information. MOSS-I-NCIRD Site Collection will also be used to as a communication vehicle to store Security C&A Packages, Security Annual Assessments, Security documentation, SOP, WIKIs and other security documents. 
MOSS-I-NCIRD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
Ø  Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
Ø  Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
Ø  Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
Ø  Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
Ø  Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The sites will be used by NCIRD employees to manage project documents and schedules, branch staff calendars, and branch-related information. MOSS-I-NCIRD Site Collection will also be used to as a communication vehicle to store Security C&A Packages, Security Annual Assessments, Security documentation, SOP, WIKIs and other security documents. 
MOSS-I-NCIRD Site Collection supports this purpose by providing users a single, integrated location offering employees the following:
Ø  Collaboration and Social Computing - Allow teams to work together effectively, collaborate on and publish documents, maintain task lists, implement workflows, and share information through the use of wikis and blogs.
Ø  Enterprise Content Management - Create and manage documents, records, and Web content by using workflow and information rights management.
Ø  Portals - Create a personal My Site portal to share information with others and personalize the user experience and content of an enterprise Web site based on the user's profile.
Ø  Business Process and Forms - Design business forms that are accessible directly in a Web browser and integrate them with databases or other business applications.
Ø  Enterprise Search - Quickly and easily find people, expertise, and content in business applications.
Business Intelligence - Allow information workers to easily access critical business information, analyze and view data, and publish reports to make more informed decisions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A – No PII is collected
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A – No PII is collected

No IIF Collected.
E-Authentication Assurance Level = (0) N/A
Risk Analysis Date = 11/01/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  12/6/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC MR Interview [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  12/1/2008
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  Rolled-up under CDC PH Monitoring for Office of Terrorism # 009-20-01-03-02-8121-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0001
5. OMB Information Collection Approval Number:  no
6. Other Identifying Number(s):  none
7. System Name (Align with system Item name):  COTPER MR Interview (MRI)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Joseph Dell
10. Provide an overview of the system:  MR Interview is a COTS application designed for the creation and distribution of electronic surveys.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No IIF is shared or disclosed
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Names may be used during survey collection, however all data input will be voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  None
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All applicable C&A controls will be in place when the system completes its C&A.

 

No IIF Collected.

E-Authentication Assurance Level = 1

Risk Analysis Date = 10/6/2008, updated 9/28/2009
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia P. Kittles OCISO C&E PM
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  12/2/2008
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Multistate Foodborne Disease Outbreak Investigation System (MFDOIS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/17/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  Multistate Foodborne Disease Outbreak Investigation System (MFDOIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ian Williams
10. Provide an overview of the system:  MFDOIS utilizes coded data and does not process PII. This system will join together epidemiologic and laboratory data in real time; and enhance electronic information sharing of surveillance, outbreak, recall, and other data among local, state, and federal partners during multistate foodborne disease outbreak investigations. This system will also rapidly visualize epidemiologic data from "clusters of cases identified by PulseNet including producing a standard set of reports that describe these cases by person, place, and time characteristics.  These clusters are defined by patients with isolates having indistinguishable DNA fingerprint patterns as identified by PulseNet, the national molecular subtyping network for foodborne disease surveillance, comprised of state and local public health laboratories and federal food regulatory agency laboratories that perform pulsed-field gel electrophoreses, multiple-focus variable-number tandem repeat analysis (MLVA), or both on bacteria that may be foodborne.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  System will maintain information on age, gender, state and county of residence, date of illness onset, date of isolate collection, date of isolate upload, hospitalization (y/n), and died (y/n) on cases of Salmonella, STEC, and Listeria infection reported by state health departments. The system will also contain information about exposures that could have results in the illnes (e.g. different types of food eaten in the week before illness onset, expsoure to animals, sources of water). This system will not collect or solicit PII. These data will be used to rapidly visualize “clusters” of cases identified by PulseNet and to work collaboratively with state and local health department partners to to update and maintain these data during foodborne disease outbreak investigations, and identify poential sources of infection for clusters. Please note that this data is coded.  There are no identifiers in this system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
No IIF collected
E-Authentication Assurance Level:  Low (2)
Date of most recent risk assessment:  04/04/2011
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  5/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC My Water's Fluoride [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/23/2008
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-03-02-9023-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CDC DOH GA - My Water's Fluoride
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  These are authenticated applications on the CoCHP Internet Platform. The logins or user account information contains business IIF. The CoCHP Internet Platform provides dynamic web content to the general public and public health partners in support of the Coordinating Centers for Health Promotion.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Some of the applications provide business contact information for public officials.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information contained within this system is for the purpose of providing dynamic Web sites to the general public, state and local health departments, prevention research centers, public health officials, and educational institutions in support of CoCHP programs.  The platform is designed to host applications that disseminate Low-category, public data and information; provide interactive features to users of the public Web site; and collect Low-category, public-domain data and information from CoCHP’s funded and unfunded partners. All IIF used within applications on this platform are business-related contact information of public officials that are readily available through a variety of public mechanisms and do not compromise an individual’s personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No uniform process in place. Several applications have a process in place to inform users of major changes to the system.

Users are aware of the IIF collected and how it is being used. Users must volunteer their IIF.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All of the data, including the IIF, follow the security controls of the EMSSP.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael W. Harris
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  8/25/2008
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Namibia IT Infrastructure (GAP-Namibia) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  1/3/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  Namibia IT Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Calvin Johnson
10. Provide an overview of the system:  This is a general office support system for CDC GAP Namibia and provides a file server, exchange server, webmail server; authentication is performed via CDC Active Directory with a failover to local host.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII = No
EAL = N/A
Risk Analysis Date = 12/28/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  1/6/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Antimicrobial Resistance Monitoring System (Version 2.0) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/20/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-9721-00-110246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC ID: 1264
7. System Name (Align with system Item name):  National Antimicrobial Resistance Monitoring System (NARMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Jean Whichard
10. Provide an overview of the system:  NARMS is an interagency collaboration between the FDA, CDC and USDA that tests human, animal and meat isolates for resistance to clinically important veterinary and human antibiotics. The CDC arm of NARMS performs antimicrobial resistance testing on isolates for selected foodborne pathogens (Salmonella, Shigella, Campylobacter, Listeria, Non-cholera Vibrio, non-commensal Enterococcus) originating from and speciated by state/local health laboratories. NARMS analyzes the resistance data for trends and publishes public reports summarizing trends/key concepts in antimicrobial resistance. These findings are used for such purposes as: expanding the worldwide public knowledge of appropriate use of antibiotics; identifying emerging resistance mechanisms in important foodborne pathogens; providing supporting data for regulatory approval/denial of use of antimicrobials in agriculture and for clinicla use in humans; etc. Each arm of NARMS maintains its own data and systems and there is no connectivity between arms.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The NARMS system will capture state laboratory isolate information.  This information includes the pathogen name (genus/species/serotype/etc), identification number, and non-PII demographic information such as collection date, collection source, gender, and age.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  12/20/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Death Index [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/8/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0166
5. OMB Information Collection Approval Number:  0920-0215
6. Other Identifying Number(s):  ESC ID: 153
7. System Name (Align with system Item name):  NATIONAL DEATH INDEX
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Lillian Ingster
10. Provide an overview of the system:  The National Death Index (NDI) is a file of identifying death record information for all U.S. deaths occurring since 1979. This computer-matching service assists health researchers in determining whether specific study subjects have died, and if so, provides researchers with the states and dates of death and death certificate numbers. The NDI Plus service also provides the cause of death codes derived from the decedents' death certificates. Since 1982 the NDI has performed over 4,000 searches involving over 50 million records submitted by researchers involved in a wide variety of activities -- including clinical trials, post-marketing drug surveillance, occupational health studies, cancer and other disease registries, and longitudinal studies involving large population groups.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Release of PII is restricted solely to health researchers in federal/state agencies, universities, and private industry. Health researchers use information on their deceased study subjects to conduct a wide variety of epidemiologic studies.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The NDI uses identifiable death record information to assist health researchers to determine if their study subjects died and to obtain the decedents’ causes of death. The PII is obtained voluntarily from state vital statistics offices via contracts.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The data are administrative information collected by the state health departments in conformity to state laws. When a major change occurs to the system we are required to notify the states.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The database is secured in the CDC SQL Server Consolidated environment, which is backed up regularly.  Access to the database is limited to users in the NDI office and support staff in DVS (SPSRB).  Cause-of-death data and SSN are encrypted within the database.
Search request input files are retained in the database for 60 days after search completion, after which an automatic process will destroy all search details, retaining only summary information about each search.  The system will also notify NDI staff to confirm destruction of the original CDs and any copies of the input files stored outside the database.
Results files will be encrypted and prepared by the system for an NDI staff member to password protect and burn the contents onto a CD to be sent back to the requesting researched by Federal Express.  The password will be e-mailed separately along with the package tracking number.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  5/8/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Electronic Injury Surveillance System Cooperative Adverse Drug Event Surveillance (NEISS-CADES Version 2.0) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  6/29/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  National Electronic Injury Surveillance System – Cooperative Adverse Drug Event Surveillance (NEISS-CADES) application version 2.0.0
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Daniel Pollock
10. Provide an overview of the system:  The National Electronic Injury Surveillance System – Cooperative Adverse Drug Event Surveillance (NEISS-CADES) application (pronounced “NICE-CADES”) collects drug-related hospital emergency department visit data in order to analyze adverse drug events.  SSNs are not collected.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII is provided to investigators extracting adverse drug event datasets for analysis.  Investigators vary, but include pharmacists and epidemiologists at the Centers for Disease Control and Prevention (CDC) and at the Federal Drug Administration (FDA).  Investigators are provided with datasets in order to analyze adverse drug event data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)   Treatment date, date case collected by CPSC, date case changed by CPSC, CPSC unique identifier (NEK), hospital coder id (HID), hospital name, hospital size range (hospital stratum), hospital weighting average (PSU), case trauma weight, patient sex, patient race, patient  age, location where adverse drug event occurred, patient disposition, emergency department visit reason, emergency department diagnosis, comments, emergency department lab tests, other info, emergency department  treatments, other drugs possibly involved, CPSC import file name, CPSC evaluation if case meets CDC case criteria, CDC evaluation if case meets CDC case criteria, CDC case status, data quality, drug, drug route, drug route specific, drug route description, generic drug, drug formulation, drug category, drug subgroup, drug group, pills taken, units taken, duration drug was taken, frequency drug was taken, mechanism of adverse drug event, role of drug, medication error, MedDRA description, case discussion, CPSC comments, question flag

2)   To analyze adverse drug events which warrant a visit to an emergency department.

3)   The information contains PII: date of treatment, hospital name, patient sex, patient race, patient age.  No data is collected that will identify a specific person such as name or social security number.

4)   Most data is mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1. There is no method by which to identify the patient to notify or obtain consent.
2. As above – there is no data that identifies a specific patient.
3. Information is used and shared for analysis of adverse drug events which warranted a visit to an emergency department
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  -      Data is stored on ITSO servers which are secured technically using authentication, and Microsoft SQL Server security protocols.
-      Data is stored on ITSO servers which are secured physically using restricted badge-only access.
-      The appl
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  6/29/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Health and Nutrition Examination Survey (NHANES) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/4/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-01-1040-02
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0164
5. OMB Information Collection Approval Number:  0920-0237
6. Other Identifying Number(s):  ESC #: 158; Protocol # 2005-006
7. System Name (Align with system Item name):  National Health and Nutrition Examination Survey (NHANES)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Jerry Del Rosso
10. Provide an overview of the system:  The National Health Examination Survey (NHES) is forerunner to the NHANES and was operational in the years 1959 – 1962, 1962 – 1965, 1966 – 1967.  The NHANES 1 from 1971 – 1976, NHANES 2 from 1976 – 1980, NHANES 3 from 1988 – 1994.  The current NHANES has been operational since 1999 to the present day.
The NHANES system consists of multiple computing and functional components at various locations.  Primary components of NHANES include:
·          Collection:  Fully encrypted Fujitsu Lifebook T2020 Convertible Laptop computers are used for collecting interview data in the field.  Survey data are maintained on the Fujitsu T2020 computer until uploaded to the Field Office (FO) server.  The Fujitsu T2020 computer can operate in two modes -- as a traditional laptop computer and as a tablet computer.   The Fujitsu T2020 is connected to the FO network for uploading survey data.
·          Analysis:  Workstations and servers are located at all field offices and MEC trailers, the Westat offices in Rockville, Maryland, and the NCHS in Hyattsville, Maryland.  Windows XP workstations are used for database access, data manipulation and review, and numerous other administrative duties.  Microsoft Windows 2003 servers provide file and print server functionality on each network.  The Microsoft Windows 2003 server does not maintain the database records from medical exams or surveys.  Sun Microsystems Sybase database servers reside at all MEC trailers, the Westat office in Rockville, Maryland, and the NCHS office in Hyattsville, Maryland.  Identifying details are removed from data every two years or as necessary in support of the creation of public release datasets.
·          Reporting:  This data is cleaned and edited after a two year data collection period to insure high quality and to remove data that could identify a survey participant.  Before releasing the data to the public, the data is reviewed by the NCHS Disclosure Review Board (DRB).  Based on the DRB’s recommendations, the data is further processed, if necessary, to remove any other identifiable information.  Once the records are de-identified, the data is released to the public.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII can be used by collaborators or researchers under a very strict control in the NCHS Research Data Center (RDC).  At the RDC, survey data is used in a controlled environment allowing only aggregated information to be disseminated from the RDC.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.       The NHANES system collects, analyzes and disseminates data on the health of Americans.  All major diseases, risk factors and behaviors, environmental exposures, and relationship between diet/health/nutrition are assessed.  The system collects and processes health and nutritional information annually from about 5,000 adults and children in the United States.

2.       NHANES data are used to measure the prevalence of numerous chronic diseases and risk factors, to measure exposure to hundreds of environmental chemicals, and to measure the nutritional intake of U.S. population. 

3.       PII is collected to allow future contact of a survey participant to report results of medical tests and for future longitudinal research both passive and active.  
 
Collection of PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1.       Major changes have not occurred and disclosure is not permitted therefore a system is not in place.  Should major changes occur in the future each individual would be re-contacted for consent to the changes.
 
2.       Written informed consent to collect data is obtained prior to data collection. 
 
3.        Written informed consent to collect data is obtained prior to data collection.  The informed consent process includes information on how the information will be used or shared.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative controls:
·          The system maintains SSP as a part of C&A CDC process.
·          The system maintains BCP with annual testing.  The system maintains the backup and failover procedures.
·          Regular scheduled backups of data.
·          User manuals.
·          Role based access to data ensures least privilege and accountability.
·          Monthly system security reviews and analysis.
·          Data containing PII are strictly protected according with
o         Section 308(d) of the Public Health Service Act (42 U.S.C. 242m).
o         Chapter 45-13, “Safeguarding Record Contained in Systems of Records”, of the HHS General Administration Manual.
o         HHS Automated Information Systems Security Manual
o         NCHS Staff Manual on Confidentiality.
o         OMB Circular A-130, Appendix III.
·          All employees of NCHS and contractor personnel with access to HNANES records are required, as a condition of employment, to sign an affidavit binding them to nondisclosure of PII.
·          System has undertaken security evaluation risk assessments with the CDC and NCHS ISSOs, staff.  These groups in part or whole have conducted thorough reviews of the NHANES network architecture, system architecture, and system/network security in March 2005.  This review was in the form of the table top test.
Technical controls:
The system maintains in place following technical controls:
·          User identification
·          Passwords
·          Firewalls
·          Virtual private network (VPN)
·          Data encryption
·          Intrusion detection system (IDS)
·          Equipment failure monitoring and replacement/duplication
 
Physical controls:
·          Security guards at the entrance point
·          ID badges
·          Key cards
·          Closed circuit TV (CCTV)
·          Servers with PII data are locked in caged area inside access protected room.

E-Auth Level: 2
Risk Assessment Date: December 14, 2009
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L. Carter OCISO C&E PM
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  2/8/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Health Interview Survey [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  Initial PIA Migration to ProSight 
1. Date of this Submission:  7/9/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-06-01-1020-02
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0164
5. OMB Information Collection Approval Number:  0920-0214
6. Other Identifying Number(s):  ESC #: 161
7. System Name (Align with system Item name):  National Health Interview Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Anne Stratton
10. Provide an overview of the system:  The National Health Interview Survey (NHIS) is a multi-purpose health survey of the civilian non-military population conducted by the National Center for Health Statistics (NCHS), which has produced annual data since 1957. NHIS data are used to describe the health of the US population, monitor trends in national health objectives, set and evaluate health policies, and perform methodological and epidemiological research on important health issues.  Findings are generalizable to the US household population but have also been used to explore issues at the regional and state level.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  All information collected in the NHIS will be held in strict confidence according to law [Section 308(d) of the Public Health Service Act (42 United States Code 242m (d) and the Confidential Information Protection and Statistical Efficiency Act (PL 107-347)]. Aside from NCHS employees, the only parties that can receive PII are the U. S. Census Bureau and NHIS collaborators (persons who have worked as our full partners from the earliest stages of the survey). These parties, who will use this information for statistical research only and to carry out this survey, are bound by strong restrictions designed to guarantee privacy. 1. The Agency for Healthcare Research and Quality (AHRQ) follows up with half of the NHIS sample on its Medical Expenditures Panel Survey (MEPS). By NHIS providing the MEPS sample, AHRQ is able to save an estimated eight million dollars on its 1996 reengineering project and continues to save budget by forgoing annual listing and other sampling costs. 2. The Office of Analysis and Epidemiology at NCHS links NHIS data records to the National Death Index (NDI) which provides the opportunity to conduct studies to investigate the association of a variety of health factors with mortality, using the richness of the NHIS data.  3. The National Opinion Research Center (NORC) use NHIS data to conduct the National Immunization Provider Record Check Study (NIPRCS), a follow-up study that validates the immunization histories of the children 12-35 months of age included in the NHIS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Since 1960, the National Center for Health Statistics (NCHS) has had the objective of producing vital and health statistics for the United States.  NCHS has legislative authority under 42 U.S.C. 242k, Section 306(b) of the Public Health Service Act to collect statistics on the extent and nature of illness and disability of the population; environmental, social and other health hazards; determinants of health; health resources; and utilization of health care.  The National Health Interview Survey (NHIS) is a multi-purpose health survey conducted by NCHS in support of this legislative charge.  It is the principal source of information on the health of the civilian, non-institutionalized population of the United States. 

The data collected through the NHIS are used for statistical purposes only. Uses within the Department include the preparation of aggregated data in the form of statistical tables for publication, analysis, and interpretation, to meet the legislative mandates of 42 U.S.C.24k, i.e. to determine levels of illness and disability and their effects on the population, the use of health care facilities, trends in family formation and dissolution, etc.

PII is collected as described in Q. 23.  Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  (1) NHIS policy does not permit disclosure rule changes and/or data use changes after the time of data collection and consent.  The consent procedures in place for a given year continue to guide the use of the data in subsequent years.  Any desired changes in data uses or disclosure must be put in place prior to data collection and apply only to that year's data collection.  At no point has any disclosure change or data use change occurred in the NHIS after the time of data collection and consent.

(2) There are three separate points in the NHIS collection process where we notify and obtain consent from individuals regarding the collection of personally identifiable information (PII) and inform said participants of the usage of this PII.
First, a written advance letter is mailed to all households selected for the NHIS sample.  This letter informs the potential participant that his/her participation is voluntary and that all data collected will be kept strictly confidential in accordance with the prevailing laws.  The letter also informs the participant that his/her personal information will only be received by NCHS employees and contractors, the U.S. Census Bureau, and NHIS collaborators and that by law we cannot release information that could identify the participant and participant’s family to anyone else without the participant’s consent. 
Second, when the interviewer makes contact with the potential respondent, there is a standard consent protocol that the interviewer is required to follow which includes displaying the interviewer’s proper credentials and introducing his or herself as an interviewer for the department of the Census conducting the NHIS.  The interviewer is then instructed to hand the respondent a copy of the Advance Letter and allow time for the respondent to read it.  After the respondent has read the Advance Letter, the interviewer is then instructed to ask “Do you have any questions about anything (you have read/I have read to you) about the National Health Interview Survey?”  Following this, the interviewer is to ask “Are you willing to participate in the survey?” 
Third, in the survey instrument itself, text informing the respondent about the reasons for collecting Social Security Number and Medicare Number is read prior to asking these questions.  The respondent is asked specific questions asking permission to link NHIS data with data from other sources.  These questions detail what the data will be used for and reiterate to the participant that answering these questions is voluntary. 

In addition, the NCHS Ethical Review Board (ERB) reviews NHIS content each year, as an advocate for the potential respondent.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  It is the responsibility of all employees of NCHS, including in house contract staff to protect, preserve, and secure all NHIS data (this includes all oral or recorded information in any form or medium) from unauthorized persons and uses. All NCHS employees as well as all contract staff have received appropriate training and made a commitment to assure confidentiality and have signed a "Nondisclosure Statement". Staffs of collaborating agencies are also required to sign this statement and outside agencies are required to enter into a more formal agreement with NCHS before access to PII is permitted. It is understood that protection of the confidentiality of records is a vital and essential element of the operation of NCHS, and that Federal law demands that NCHS provide full protection at all times of the confidential data in its custody. Only authorized personnel are allowed access to confidential records and only when their work requires it. When confidential materials are moved between locations, the items are tracked to insure that there is no loss in transit and when confidential information is not in use, it is stored in secure conditions.

It is the Center's policy to make public use data files available to the public via the Internet so that additional analyses can be made of these data for the benefit of the U.S. population. Confidential data will never be released to the public. For example, all personal identifiers are removed from the file; i.e., name, address, location number, sample person number, etc. A concerted effort is made to avoid any disclosures, such as detailed geographic information that may allow a researcher to go back and find individuals in the general population.  Data must be approved for release by the NCHS Confidentiality Officer and NCHS Disclosure Review Board.

Procedural Safeguards: All employees of NCHS and contractor personnel with access to NHIS records are required, as a condition of employment, to sign an affidavit binding them to nondisclosure of PII and to view an NCHS video tape addressing confidentiality and systems security. Periodic correspondence is sent to staff to reinforce confidentiality regulations, guidelines, and procedures. Protection for computerized records on various IT platforms includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, user rights/file attribute restrictions, and firewalls. Password protection imposes user name and password log-in requirements to prevent unauthorized access. Each user name is assigned limited access rights to files and directories at varying levels to control file sharing. There are routine daily backup procedures and Vault Management System for secure off-site storage for backup tapes. Additional safeguards may be built into the program by the system analyst as warranted by the sensitivity of the data.
Risk Assessment Date: June 8, 2010
E-Auth Level: 3
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  7/9/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National HealthCare Safety Network (NHSN) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  6/17/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  OMB No. 0920-0666

OMB No. 0920-0666
OMB No. 0920-0666
Exp. Date:  03-31-2011
6. Other Identifying Number(s):  ESC #: 623
7. System Name (Align with system Item name):  National Healthcare Safety Network (NHSN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Daniel Pollock
10. Provide an overview of the system:  NHSN allows participating healthcare facilities to enter data associated with healthcare safety events, such as surgical site infections, antimicrobial use and resistance, bloodstream infections, and healthcare worker vaccinations.  NHSN provides analysis tools that generate reports using the aggregated data (reports about infection rates, national and local comparisons, etc.  Participating NHSN healthcare facilities can access web-based screens that allow them to enter data associated with healthcare safety events.  These data are captured in a relational database at the CDC.  Participants can then use NHSN analysis tools to generate reports that are displayed on their web browser.  Any U.S. healthcare institution including hospitals, outpatient centers, and long-term care facilities may enroll in NHSN provided they have access to the Internet
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Yes, with Healthcare facilities in the U.S.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NHSN is a voluntary surveillance system. The system requires reporting of the following information:
Patients: patient identification number (may be a medical record number), gender and date of birth.  For some patients, birth weight is required.
Healthcare workers: healthcare worker identification number, gender, date of birth, work location, and occupation. Facilities: facility name, address, county, city, state , zip code, telephone number, indentifying number (i.e., CMS provider number and/or American Hospital Association identification number and/or Veterans Administration station code), type, ownership category, affiliation with a medical school (y/n), and bed-size characteristics.
Users: name, address (if different from facility), telephone number, and email address.
Optional IIF that may be reported to NHSN:
Patients: Social security number, secondary identification number, name, ethnicity, and race.
Healthcare workers: name, address, work and home phone numbers, email address, born in United States (y/n), ethnicity, race, and date of employment.
Users: fax number, pager number, and title.

The IIF data is used for the facilities’ own purposes only and is not used by the CDC.  The CDC uses only aggregated de-identified data for its analysis purposes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  NHSN is a public health surveillance system and does not require obtaining consent from individuals whose data are submitted and stored in the system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system date is protected by residing within the Secure Data Network and requires each user to have obtained a digital certificate in order to access the system.  Each user can only access data for their facility only.  Each user signs a “Rules of Behavior” contract which states the rules for privacy and IIF security.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  6/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National HealthCare Safety Network DEMO (NHSN DEMO) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  3/21/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 623
7. System Name (Align with system Item name):  National Healthcare Saftey Network Demonstration System (NHSN DEMO)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dr. Dan Pollock
10. Provide an overview of the system:  NHSN Demo allows State Health Departments to see demonstration of the capabilities that the production NHSN application is providing to participating healthcare facilities to enter data associated with healthcare safety events such as surgical site infections, antimicrobial use and resistance, bloodstream infections, and healthcare worker vaccinations.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system does not collect any “real” data. Dummy data is stored in the system so potential users can evaluate the system to see if they want to use it.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  3/21/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National HealthCare Safety Network SAMS (NHSN SAMS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  2/24/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  OMB No. 0920-0666
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  National Healthcare Safety Network (NHSN) SAMS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Daniel Pollock
10. Provide an overview of the system:  NHSN allows participating healthcare facilities to enter data associated with healthcare safety events, such as surgical site infections, antimicrobial use and resistance, bloodstream infections, and healthcare worker vaccinations.  NHSN provides analysis tools that generate reports using the aggregated data (reports about infection rates, national and local comparisons, etc.  Participating NHSN healthcare facilities can access web-based screens that allow them to enter data associated with healthcare safety events.  These data are captured in a relational database at the CDC.  Participants can then use NHSN analysis tools to generate reports that are displayed on their web browser.  Any U.S. healthcare institution including hospitals, outpatient centers, and long-term care facilities may enroll in NHSN provided they have access to the Internet
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Yes, with Healthcare facilities in the U.S.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NHSN is a voluntary surveillance system. The system requires reporting of the following information:
Patients: patient identification number (may be a medical record number), gender and date of birth.  For some patients, birth weight is required.
Healthcare workers: healthcare worker identification number, gender, date of birth, work location, and occupation. Facilities: facility name, address, county, city, state , zip code, telephone number, indentifying number (i.e., CMS provider number and/or American Hospital Association identification number and/or Veterans Administration station code), type, ownership category, affiliation with a medical school (y/n), and bed-size characteristics.
Users: name, address (if different from facility), telephone number, and email address.
Optional IIF that may be reported to NHSN:
Patients: Social security number, secondary identification number, name, ethnicity, and race.
Healthcare workers: name, address, work and home phone numbers, email address, born in United States (y/n), ethnicity, race, and date of employment.
Users: fax number, pager number, and title.

The IIF data is used for the facilities’ own purposes only and is not used by the CDC.  The CDC uses only aggregated de-identified data for its analysis purposes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  NHSN is a public health surveillance system and does not require obtaining consent from individuals whose data are submitted and stored in the system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system data is protected by residing within CDC SAMS.  Each user can only access data for their facility only.  Each user signs a “Rules of Behavior” contract which states the rules for privacy and IIF security.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Alan Olson
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  3/2/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National HIV Monitoring and Evaluation Training (NHM&E) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  2/15/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 2082
7. System Name (Align with system Item name):  National HIV Monitoring and Evaluation (NHM&E) Training
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dale Stratford
10. Provide an overview of the system:  The primary purpose of NHM&E Training Website is to provide training for CDC, contracted staff, and staff at health departments and community-based organizations with the training and skills necessary to implement and utilize the NHM&E variables and HIV Prevention Program Evaluation and Monitoring System (PEMS) or other government-provided reporting software for reporting to CDC and for their own monitoring and evaluation needs.  There are quizzes in the lessons that are scored and certificates of completion that people can print out if they want to, but that is not reported to CDC.  CDC receives a record of which lessons were accessed and completed, agencies that accessed the system and average time in the system.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)   The NHM&E Training system collects agency contact data from individuals authorized to access the website and interested in taking various training courses available through the website. Agency data collected includes; First name, Last name, Agency name, agency email address.
2)   This information is required for the registration process to be eligible to take the online training courses available on the website.
3)   The personal information collected is agency contact information only. There is no PII in the NHM&E Training system.
4)   Submission of all information is strictly voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A agency contact information only
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  2/15/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Immunization Survey for Preteens [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/31/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC# 1745
7. System Name (Align with system Item name):  National Immunization Survey for Preteens (NIS-Teen)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cathy Hogan
10. Provide an overview of the system:  National Immunization Survey for Preteens (NIS-Teen) gives an estimate of the number of people who have received particular vaccines which is measured at national, state, and local levels.
These surveys are used to: 1) Identify groups at risk of contracting vaccine-preventable diseases;
2) Stimulate efforts to increase coverage; 3) Evaluate how well the efforts work.
Also, the study is designed to help researchers better understand why some adults choose not to get vaccinated for preventable diseases.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF Collected.

E-Authentication Assurance Level = N/A

Risk Analysis Date = 8/10/2009
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia P. Kittles OCISO C&E PM
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/3/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Molecular Subtyping Network for Foodborne Disease Surveillance(PulseNet) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/9/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-0172-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 172
7. System Name (Align with system Item name):  CDC National Molecular Subtyping Network for Foodborne Disease Surveillance (PulseNet)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Peter Gerner-Smidt
10. Provide an overview of the system:  National Molecular Subtyping Network for Foodborne Disease Surveillance (PulseNet) is a client-server system that consists of a national network of public health laboratories and Federal regulatory agencies (CDC, USDA, and FDA) that perform molecular subtyping analysis on foodborne disease bacteria.  The network permits rapid comparisons of DNA fingerprint patterns through a database at the CDC.  The molecular subtyping method called pulsed field gel electrophoresis (PFGE), and is used by PulseNet.  Another piece added to PulseNet is called CaliciNet.  Sequence analysis is used by CaliciNet.  PulseNet and CaliciNet use BioNumerics, a commercial off-the-shelf (COTS) product that functions as a client-server application.
PulseNet and CaliciNet participants (the public health and food regularity agency laboratories) use a standardized protocol to generate the DNA fingerprints.  Standardization provides the capability to exchange information electronically, allowing laboratories and epidemiologists throughout the U.S. to rapidly compare DNA fingerprints of submitted isolates with those in the database.  The ability to compare isolates quickly leads to a more rapid detection of outbreaks and faster response time by public health agencies, contributing to the prevention of further diseases and illnesses.
PulseNet also added the functionality to allow authorized users read-only access to the PulseNet national databases using SAS 9.2 for data conversion/cleaning and analysis.  The SAS data will be stored at fsp-113\fcid_dbmd_1_apps\apps\soda4\mddb.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NO PII
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A No PII
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  1/9/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Oral Health Surveillance System (NOHSS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/26/2008
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-03-02-9121-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CDC DOH NOHSS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  Reports data for oral health prevalence rates from a number of sources for data query.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Some of the applications provide business contact information for public officials.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information contained within this system is for the purpose of providing dynamic Web sites to the general public, state and local health departments, prevention research centers, public health officials, and educational institutions in support of CoCHP programs.  The platform is designed to host applications that disseminate Low-category, public data and information; provide interactive features to users of the public Web site; and collect Low-category, public-domain data and information from CoCHP’s funded and unfunded partners. All IIF used within applications on this platform are business-related contact information of public officials that are readily available through a variety of public mechanisms and do not compromise an individual’s personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No uniform process in place. Several applications have a process in place to inform users of major changes to the system.

Users are aware of the IIF collected and how it is being used. Users must volunteer their IIF.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  All of the data, including the IIF, follow the security controls of the EMSSP.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael W. Harris
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  8/25/2008
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Outbreak Reporting System Public (NORS Public) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  3/1/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-9721-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 1318
7. System Name (Align with system Item name):  National Outbreak Reporting System Public (NORS Public)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dana Cole
10. Provide an overview of the system:  National Outbreak Reporting System Public (NORS Public) is an ASP.Net web application with a SQL server backend.  This system provides the ability for the public to look at a small subset of filtered foodborne outbreak data captured by the National Outbreak Reporting System (NORS).  This is performed by filtering and transferring data from the NORS system to the NORS Public database. This is aggregate data that is extracted from the NORS system by using certain established parameters and then loaded to the NORS Public database.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This system provides the ability for the public to look at a small subset of filtered foodborne outbreak data captured by the National Outbreak Reporting System (NORS).  This is merely a site, with no PII, that can be accessed by the public for general information.  The public is able to choose from a few basic drop downs to filter the data that is available to them.  Public users are allowed to download an XML file of the data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A No PII
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  3/1/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Prevention Information Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/2/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 1521
7. System Name (Align with system Item name):  National Prevention Information Network (NPIN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Susan Robinson
10. Provide an overview of the system:  The National Prevention Information Network (NPIN) does not store, collect, process, or transmit PII or SSN information. NPIN, at its inception as the CDC National AIDS Clearinghouse, was designed to facilitate the sharing of information and resources among people working in HIV prevention, treatment, and support services. Today, NPIN remains a comprehensive source of science-based information, which is accessible to professionals dedicated to the prevention of HIV, Viral Hepatitis, STDs, and TB.
NPIN is comprised of the following sites:
staging.cdcnpin.org
staging.npinsecure.cdcnpin.org
staging.hivtest.org
staging.mobile.hivtest.org
staging.findtbresources.org (graphics change)
staging.customizabledatafeed.cdcnpin.org (new site)
staging.cdcnpin.org/CRP (new site)
archive.cdcnpin.org (new archive site for internal use – info archived off the production site)

The NPIN Secure Extranet and the NPIN Customizable Data Feed site are accessible via a SSL-capable Web browser over the public Internet.  Membership is restricted to government employees and contractors working on the NPIN contract.  Access is permitted to those with a proper login only. Access to the system for privileged users requires the use of 2-Factor Authentication utilizing the Phone Factor software to complete the log-in process.

The changes that prompted the re-certification of the NPIN network included the following:
Archive.cdcnpin.org  - data archived off the public cdcnpin.org site will be moved to this site for internal and CDC use only.
Customizabledatafeed.cdcnpin.org - data already available on the cdcnpin.org site via a user-defined set of criteria for data elements and filtering. This site will require login credentials.
CDCNPIN.org/CRP – Campaign Resource Page site that allows the public to search for CDC campaigns of interest to them via specified search criteria. The site also allows the CDC to post new campaign information.
TBResources.org – This site received a complete facelift updating the .net version to 4.0.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Data that is housed within this network include catalogs, processes, stocks, and and information on HIV/AIDS, STDs, and TB.
To provide materials and information on HIV/AIDS, STDs, and TB to organizations and people working in those disease fields in international, national, state, and local settings.
The NPIN system does not contain PII.

Personal information is not collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  2/2/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Program of Cancer Registries/Cancer Surveillance System (NPCR-CSS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  11/5/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0160
5. OMB Information Collection Approval Number:  0920-0469
6. Other Identifying Number(s):  ESC# 1565
7. System Name (Align with system Item name):  National Program of Cancer Registry-Cancer Surveillance System (NPCR-CSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen

10. Provide an overview of the system:  The National Program of Cancer Registries Cancer Surveillance System (NPCR-CSS) collects and reports data from NPCR States. The NPCR is a population based system of cancer registries established in 1992 by the Cancer Registries Amendment Act (Public Law 102-515). . As of January 2008, 45 States, 1 territory, and the District of Columbia submitted data to NPCR-CSS. When fully implemented, States funded by NPCR will collect data on cancer for 96 percent of the U.S. population. As part of the system, cancer registries also submit information about registry operations to CDC on an annual basis via a secure, web-based Annual Program Evaluation Instrument (NPCR-APEI). The NPCR-APEI is needed in order to receive, process, evaluate, aggregate, and disseminate NPCR program information.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Computerized edits used to check the data for its quality are written and require the use of these IIF.  Restricted-access data sets (RADS) may contain information that is potentially identifiable especially when linked with other data sets, such as the occurrence of a rare cancer in a person of a certain age or racial or ethnic group.  Only the month and year (and not the full date of birth) are provided in this data set.  Because restricted-access data sets may potentially contain identifiable information, states will have the option to not have their data included in RADS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) NPCR-CSS is a database-driven system designed to collect, record, and analyze patient cancer data.
 2) Data will be used to generate statistical outputs and reports on cancer incidence throughout the United States.
 3) NPCR-CSS contains the following information considered, by HIPAA, to be PII; county, zip code, census tract, date of birth, date of death, and exact age.
 4) Submission of this personal information is mandatory.  To protect privacy, programs may mask county, zip code, census tract, month/day of birth, and month/day of death with a recode.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No processes are in place. The data lacks the detail needed to identify individuals and is covered by an Assurance of Confidentiality Section 308(d).  Therefore, individual notification cannot be conducted and consent cannot be obtained and is not required.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The NPCR-CSS data reside on a dedicated server. To ensure the security and confidentiality of data, many provisions have been incorporated into the NPCR-CSS Security Plan and NPCR-CSS System Documentation to protect the data. The NPCR-CSS server is housed in a secure facility with a guard on duty in the lobby 24 hours a day. Elevator and stairwell access is controlled by card key. The server resides on its own local area network (LAN) behind firewall. Access to the NPCR-CSS server is limited to authorized project staff. It is password protected on its own security domain. No one but project staff is allowed access to the NPCR-CSS data. All project staff must sign a confidentiality agreement before passwords and keys are assigned. All staff must pass background checks appropriate to their responsibilities for a public trust position. NPCR-CSS data that are submitted electronically are encrypted during transmission from the States. They arrive on a document server behind firewall. Each state has its own directory location so that no state has access to another state’s data. The data are moved automatically from the document server to the NPCR-CSS server. Receipt and processing logs are maintained to document data receipt, file processing, and report production. All reports and electronic storage media containing NPCR-CSS data are stored under lock and key when not in use and will be destroyed when no longer needed. A comprehensive security plan has been developed for the NPCR-CSS system. All project staff receives annual security awareness training covering security procedures. Periodic (currently quarterly, but no less than once a year) review and update of the security processes will be conducted to adjust for rapid changes in computer technology and to incorporate advances in security approaches. The security plan will be amended as needed to maintain the continued security and confidentiality of NPCR-CSS data.
 
IIF = yes
Risk Analysis date: 6/15/2009
E-Auth Level = 2
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  11/8/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Respiratory and Enteric Virus Surveillance System (NREVSS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/11/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-05-02-9422-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 882
7. System Name (Align with system Item name):  National Respiratory and Enteric Virus Surveillance System (NREVSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Wendi Kuhnert
10. Provide an overview of the system:  Collects the number of tests and positive results on respiratory and enteric viruses from about 400 laboratories.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NREVSS collects information on the number of positive and number of tests performed for several respiratory and enteric viruses.  The system also collects information on the test type, date of testing, and basic lab contact info.  There is no PII data.  Submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF Collected.

E-Authentication Assurance Level = N/A

Risk Analysis Date = 5/11/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L. Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  8/11/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Select Agent Registry (NSAR) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/25/2008
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-21-01-03-01-0547-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0170
5. OMB Information Collection Approval Number:  n/a
6. Other Identifying Number(s):  ESC# 547
7. System Name (Align with system Item name):  National Select Agent Registry (NSAR)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Barry Copeland
10. Provide an overview of the system:  The NSAR mission is to provide the regulated community with a secure public web interface for the submission of required registration and related forms.  Separately, it provides the Select Agent (SA) Program with document and records management support in compliance with National Archives and Records Administration (NARA) standards.  It also provides for a secure national database and processing environment, to include data entry and complex reporting capability in support of national incident response or appropriate law enforcement queries.

NSAR stores the minimum data required to support 42 C.F.R Part 73, 7 C.F.R. Part 331, and 9 C.F.R. Part 121.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Yes, APHIS, for compliance with federal mandates.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NSAR stores the following information about the individuals identified in the CDC-APHIS forms 1-5: First name, middle name, last name, organization, title, address (street, city, state, zip), telephone number, fax number, and email address.  Submission is mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The information collected by the EAIPS program will be submitted (as identified in 42 C.F.R. Part 74, 7 C.F.R. Part 331, and 0 C.F.R part 121) through the submission of CDC-APHIS forms 1-5.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  NSAR stores data in a series of password protected databases hosted in secure environments.  The system and supporting paper documents are located within secure spaces compliant with Defense Security Services (DSS) standards.  All personnel with access to the data will have current DoD Secret level clearances (or equivalent).
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  David Knowles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden, OCISO
Sign-off Date:  4/25/2008
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Survey of Family Growth (NSFG) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  11/23/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0164
5. OMB Information Collection Approval Number:  0920-0314
6. Other Identifying Number(s):  ESC #: 188; Roll-up: 1329
7. System Name (Align with system Item name):  National Survey of Family Growth (NSFG)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: 
10. Provide an overview of the system:  William Mosher
13. Indicate if the system is new or an existing one being modified:  
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Existing 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Yes
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No confidential data are released to anyone.  Only NCHS staff and the contractor’s NSFG contract staff are permitted to see confidential data (Section 308(d) of the Public Health Service Act (42 USC 242m) AND the Confidential Information Protection and Statistical Efficiency Act—PL 107-347.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The mission of the National Survey of Family Growth (NSFG) is to provide national statistics, for a national sample of men and women of reproductive age, on factors affecting birth and pregnancy rates, family formation, and related behaviors and attitudes.  The information is collected through in-person interviews with a national sample of men and women 15-44 years of age.

The survey is conducted under contract with a survey research firm.  Under the current contract, the contractor is the Institute for Social Research at the University of Michigan.  The contractor hires, trains, and supervises the interviewers who collect the data, in consultation with the NSFG staff at NCHS.  Although NCHS staff provide extensive, detailed, and continuing direction and feedback to the contractor, the dataset is collected and produced entirely at the contractor and is sent on a CD-ROM to NCHS.

Using extensive consultation among the agencies sponsoring the survey, the content of the survey is carefully planned, so that the length of the survey is limited to 60-80 minutes.

Data from the NSFG support DHHS, CDC, and NCHS objectives and initiatives.  The NSFG provides high-quality national data that measure how the nation is doing with respect to the following of the HHS “20 Department-Wide Objectives:” 
1 (e)   Reduce disparities in ethnic and racial health outcomes;
9 (a)   Promote family formation and healthy marriages;
9 (c)   Improve the safety, stability, and healthy development of our Nation’s
children & youth;         
19 (c) Reduce the incidence and consequences of …substance abuse…
unintended pregnancies and sexually transmitted diseases.”

The NSFG supports the CDC “Health Protection Goals” as well, particularly
“Achieve Healthy Independence” (Adolescents age 12-19), and
“Live a Healthy, Productive, and Satisfying Life (Adults 20-49 years).

The NSFG supports the NCHS mission and goals by fulfilling the requirements of the Public Health Service Act, Section 306, which directs NCHS to collect birth, death, marriage, and divorce statistics, and to “collect statistics on…..family formation, growth, and dissolution,” as described in item 1.  The NSFG is the only source of cohabitation, marriage, and divorce data in NCHS, and a source of national data on the determinants of sexually transmitted diseases, infertility, unwanted pregnancy, and related topics.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  a)  NCHS policy does not permit disclosure rule changes after the time of data collection and consent.  The consent procedures in place for a given data collection year continue to determine the use of the data in subsequent years. Therefore, “major chang 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  
PIA Approval
PIA Reviewer Approval:  It is the policy of NCHS to make NSFG data available in public use files after they have been reviewed by the NCHS Disclosure Review Board.  Extensive measures to reduce disclosure risks were taken for the 2002 NSFG data file.
Safeguards: Confidential d
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Kerey L Carter
Sr. Official for Privacy Name:  Promote
Sign-off Date:  12:00:00 AM
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Toxic Substance Incidents Program (NTSIP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/9/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  Yes 0923-0008
6. Other Identifying Number(s):  ESC#  96
7. System Name (Align with system Item name):  National Toxic Substance Incidents Program (NTSIP) F.K.A. HSEES
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Maureen Orr
10. Provide an overview of the system:  The National Toxic Substances Incident Program (NTSIP) system was established by ATSDR to collect and analyze information about acute releases of hazardous substances, as well as threatened releases that result in a public health action such as an evacuation. The goal of NTSIP is to reduce the morbidity (injury) and mortality (death) that result from hazardous substances events, which are experienced by first responders, employees, and the general public.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII is only shared or disclosed to NTSIP users who are State and International Partners (State Health Departments).  Each state can only access their data.  DHS users can access data from all states, but name, address, and phone fields are encrypted.  Data are also shared with the Department of Transportation, but the data are filtered and contain no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) NTSIP collects company name and address information on the event location and the name of parties responsible for hazardous chemical events.  An event location can be an address of and individual (private household), but individual names are not collected.  The application also collects name, agency, address, and phone information on the party who notified the state department of the event.  General information on victims is also collected (age, sex, injury type), but no personally identifiable information is entered.

The event location address is used to determine the latitude/ longitude values, and demographics/ proximity information of hazardous events to aid in prevention and outreach.  The name of the event location is used to determine the type of industry that was involved with the hazardous release.  The notification information is used for contact purposes in case data received is incomplete.  User names, states, and email addresses are stored for user roles and privileges.  The PII collected in this system is not mandatory.

Data are entered by participating state health departments into a web-based application that enables ATSDR to instantly access a limited amount of data for analysis.  Identifiable fields are encrypted to ATSDR and can only be viewed by the event owner.

Data collected include the following:
• Name, address, and phone # of the source that notified the state health department of the event and the date of the notification.
• Time, date, and day of the event.
• Geographic location (street, city, county, state, zip, country, latitude, longitude)
• Name of the event location, and the name of the party responsible for the release.
• The type of industry involved
• The proximity and demographic (land use and nearby population information to estimate the number of persons potentially exposed)
• Place within the facility where the event occurred
• Event type (fixed-facility or transportation related event)
• Factors contributing to the release
• The substances released
• Environmental sampling and follow-up health activities
• Specific information on injured persons: age, sex, type and extent of injuries, distance from spill, population group (employee, general public, responders, student), and type of protective equipment used
• Information about decontaminations, orders to evacuate or shelter-in-place

NTSIP shares non-sensitive data with the Department of Transportation (DOT).  DOT uses this data to compare and merge with incident data located in their database to look for gaps, overlaps, and extrapolation to states get national estimates.

(2) Data are used to:
• Provide presentations of data from NTSIP to industries that account for a significant number of spills to help plan prevention strategies
• Provide data for Hazardous Material training courses, including data on the risk of injury from methamphetamine labs
• Provide data to establish and maintain protection areas for municipal water systems
• Provide data by county on spills to assist with the proper placement of Hazardous Material teams and equipment
• Distribute fact sheets on frequently spilled chemicals or chemicals that cause a disproportionate number of injuries, such as chlorine and ammonia
• Distribute newsletters or fact sheets to industry, responder, and environmental groups
• Provide presentations for state and local emergency planners

(3) NTSIP contains PII.

(4) Submission of personal information is voluntary and is entered by State and International Partners (State Health Departments), not individuals.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  (1) N/A.  The system does not directly collect PII from the individuals. PII is entered by State Departments.

(2) N/A

(3) N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative:
Users are assigned unique roles and privileges depending on their titles.  The NTSIP system administrator is responsible for assigning these roles.

Technical:
Depending on the user’s role certain fields containing PII data are encrypted.  Company name, address, and telephone information are entered by and visible to State users, but are encrypted to the Division of Health Studies (DHS) representatives. 

User access and authentication is provided through a Secure Data Network (SDN) issued digital certificate which is valid for one year from the date of receipt.  Each user will be assigned a unique numeric token which will be used to access the SDN Web Server and assign user roles and privileges.   SDN also requires a passphrase to access the SDN Web Server. 

Physical Controls:
Production and test servers are stored in a server room secured by the CDC.  Access tools are in place to secure entry into CDC buildings (Guards, ID Badges, Key Card, Cipher Locks, Closed Circuit TV).
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  7/25/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Tuberculosis Surveillance System - External (NTSS-E) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  3/23/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  National Tuberculosis Surveillance System - External (NTSS-E)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Jose Becerra, MD
10. Provide an overview of the system:  The purpose of the National Tuberculosis Surveillance System External (NTSS-E) is to provide an external reporting environment to present approved state users with access to data quality reports specific to their state’s TB Surveillance data.  Users would be required to register in SAMS (CDC’s Secure Access Management System for external users applications) and be restricted to viewing only their state data.  The NTSS-E application will not process, transmit, or store Personally Identifiable Information (PII).  The application will be written in JAVA and utilize Microsoft SQL Server 2008.  All information originally comes from the Common Data Store (CDS) TB Data Mart, created and updated by the Data and Message Brokering (DMB) and from the NTSS-I database and contains state RVCT surveillance data.  No updates are made via this reporting application, as all updates must come through the PHIN-MS secured messaging environment and processed through the NTSS-I system.  Information is transferred by using scheduled SSIS stored procedure jobs to refresh data views from the NTSS-I database into the NTSS-E database.  Data refreshes will be scheduled weekly.  
NTSS-E does not process, store, or transmit Personally Identifiable Information (PII).
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information in the database includes county, state, and zip code, but no PII/IIF would be included (no street address or names). The surveillance information requested by CDC consists of detailed reports of persons with TB (de-identified), including information on the individual's HIV serostatus, demographics (e.g., homelessness, correctional institution, or long-term care facility), alcohol and drug use, drug therapy, and drug susceptibility results. The data are used by U.S. Public Health Service scientists and cooperating state and local health officials to help understand and control the spread of TB. No PII data is processed, stored, or distributed by this application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  3/23/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Tuberculosis Surveillance System - Internal (NTSS-I) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/28/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  National Tuberculosis Surveillance System - Internal (NTSS-I)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Jose Becerra, MD
10. Provide an overview of the system:  The purpose of the National Tuberculosis Surveillance System Internal (NTSS-I) is to provide an internal data processing environment utilizing CDC approved desktop COTS applications (Rhapsody, SAS System, and Microsoft SQL Server Integration Services (SSIS)) to transform data, prepare tables for SAS analysis and loading into other DTBE systems (TB GIMS and NTIP).  All information comes from the CDS TB Data Mart and from the TIMS database and contains state RVCT surveillance data.  
Information is transferred by using Rhapsody processes and SSIS stored procedure jobs to merge and transform RVCT data.  Meta data structures and common data reference libraries are used to support processing and reporting, as well as routine and ad hoc data cleaning activities.  Provisional and final data sets are generated using SAS for internal use by DTBE staff.  Other data files are produced using SSIS and SAS for uploading into other database systems.  Source data is typically loaded daily and reprocessed, but output is typically shared weekly or biweekly, depending on the programmatic needs.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information in the database includes county, state, zip code and DOB, but no other known PII/IIF would be included (no street address or names). The surveillance information requested by CDC consists of detailed reports of persons with TB (de-identified), including information on the individual's HIV serostatus, demographics (e.g., homelessness, correctional institution, or long-term care facility), alcohol and drug use,
drug therapy, and drug susceptibility results. The data are used by U.S. Public Health
Service scientists and cooperating state and local health officials to help understand and
control the spread of TB. The only PII data is DOB, and submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  As data is collected by State Health organizations:

NTSS-I does not notify nor obtain consent from any individuals whose PII is provided from State Departments of Health and State and Local Public Health Labs when major changes occur to the system.
NTSS-I does not notify nor obtain consent from any individuals regarding what PII is being collected from them. 
NTSS-I does not provide any information to any individual on how data is used or shared.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  NTSS-I servers are maintained in DSS where the security controls for a Moderate system (SP 800-53 are implemented and facilitated). NTSS-I users access the data on the system based on a need-to-know basis, NTSS-I users have AD accounts with RBAC profiles. NTSS-I users are granted access to the data based on their roles. 

The servers have auditing in place for the OS and SQL database logs, and the servers are protected within DSS in a secure environment with security guards, CCTV, proximity cards and readers. 

PII Yes
Risk Analysis Date: 10/1/2010
E-Auth Level: N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas p Madden
Sign-off Date:  11/3/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Violent Death Reporting System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  2/6/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-03-02-9623-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 980
7. System Name (Align with system Item name):  National Violent Death Reporting System (NVDRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Leroy Frazier, Jr.
10. Provide an overview of the system:  The National Violent Death Reporting System (NVDRS) is an incident-based system designed to capture data on violent deaths (suicides, homicides, and deaths of undetermined intent) in a relational database.  Information on deaths are collected by state-level partner agencies (typically state health departments), and information is transmitted to the CDC after being stripped of all personally identifiable information.  Cases are typically identified as death certificates are filed or by data abstractors reviewing cases reported to coroner/medical examiner (CME) offices.  Accordingly, data within the NVDRS can be analyzed on the victim or suspect level (e.g. to determine details about victims or suspects) or the incident level (in which multiple homicides or linked homicide/suicides can be considered as single events).  Each state’s own Violent Death Reporting System establishes the details of that state’s cases from primary and secondary data sources.  Primary data sources are: death certificates (DC), CME records, police reports (PR), and crime laboratory data.  Secondary, or optional data sources are: child fatality review team data (CFR), supplementary homicide reports (SHR), hospital (Hosp) data, emergency department (ED) data, and Alcohol Tobacco, Firearms and Explosives (ATF) trace information on firearms.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  The system does not contain any PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1)  NVDRS collects information on victims (deceased persons) and alleged perpetrators (deceased or live suspects). Details are collected on a large number of socio-demographic characteristics of deceased persons and basic demographic characteristics of both live and deceased suspects.  The system also collects additional information on circumstances contributing to the deaths, such as (for suicides and deaths of undermined intent) circumstances related to mental health, disclosed intent, and precipitating factors; and felony-related or non-felony related circumstances for homicides.  In addition, NVDRS captures data on interpersonal relationships, toxicology and the mechanisms of injury.

(2)  This system allows data from police reports, death certificates, coroner’s reports, medical examiners' offices, and medical providers to be combined into one cohesive data base allowing a variety of public health professionals and decision-makers to analyze and understand the nature of and trends of violence in the United States.

(3)  The system does not contain any PII.

(4)  N/A.  The system does not contain any PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  The system does not contain any PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  The system does not contain any PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  2/6/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National Vital Statistics System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  1/8/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-06-01-1030-02
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0166
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC #: 191
7. System Name (Align with system Item name):  National Vital Statistics System (NVSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Delton Atkinson
10. Provide an overview of the system:  The National Vital Statistics System (NVSS) collects selected data from 57 jurisdictions (50 states, 2 cities, 5 US Possessions. Selected data is based on the US Standard Certificates of Birth and Death and the US Standard Report of Fetal Death.  Except for the Death records, no IIF is collected from any jurisdiction.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Special data releases approved by State vital registration officials Census Bureau for Population projections and estimates. Published reports prepared by NCHS staff or contractors are available to the public generally.  Electronic microdata files containing no personally identifiable information are provided to the public as well. With the permission of the data provider (e.g. State Registrars) in a restricted data access program, electronic files containing additional detail is provided to qualified researchers who have signed a Restrictive Confidentiality Agreement.  The Department occasionally contracts with a private firm for the purpose of collecting, analyzing, aggregating, or otherwise refining records in this system. Relevant records are disclosed to such a contractor. The contractor is required to maintain Privacy Act safeguards and to strictly follow Section 308(d) of the Public Health Service Act.  NCHS may disclose selected identifiable information to authorized recipients such as the Social Security Administration for statistical analysis purposes only, consistent with the requirements of Section 308(d) of the Public Health Service Act and the Privacy Act.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Selected data from birth, death, and fetal death records are collected for statistical (aggregate) analysis to identify and highlight public health and demographic trends relating to those events.   No IIF is used in such analysis and no IIF is included in publications that result from the analysis work.  Public Use datasets are created from the final annual datasets, with a screened subset of the available data elements.  No IIF is included in any public use dataset.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The only IIF collected by the NVSS is for death records.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Every person with access to the NVSS (administrators, developers, end users) is governed by CDC Privacy and Confidentiality policies.  Access to data is controlled by Window Integrated Authentication, which restricts use to internal, authorized CDC users.  The data center in which all servers, database, and network hardware and software reside is protected with software and hardware firewalls, physical access controls, and user authentication.

The SSN is collected for the decedent on a death record.  The SSN will be masked on displays and reports.  Decedent names, father’s surname, and dates of Birth/Delivery are collected for decedents, newborns, and parents.  No other IIF is collected on birth or fetal death records.
E-Authentication Assurance Level = 3
Risk Analysis Date = November 06, 2009
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia P Kittles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  1/12/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC National West Nile Surveillance System (Arbonet) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  6/8/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-1480-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 911
7. System Name (Align with system Item name):  National West Nile Surveillance System (ArboNet)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Marc Fischer
10. Provide an overview of the system:  National West Nile Surveillance System (Arbonet).  Allows reporting of arboviral cases from the states.  Can be reported through XML or through ArboNet front end.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  ArboNet provides an electronic-based surveillance and reporting system of West Nile and other arbovirus activity in humans, birds, mosquitoes and other mammals in order to facilitate the exchange of information and data between federal, state and local authorities.  ArboNet captures arbovirus cases from states in five categories: human, mosquito, avian, veterinary, and sentinel animals.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  6/8/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCCD OSH General Application Support [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/2/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-03-02-9023-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CDC CCID NCPDCID OSH GA - Cessation Resource Center (Admin)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  The CoCHP Internet Platform provides dynamic web content to internal CDC staff in support of the Coordinating Centers for Health Promotion. The platform also hosts several applications for other Coordinating Centers.

Provides access to user-tested tobacco cessation materials.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Business Contact information is shared with internal staff.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  There are several applications that maintain business contact data.

The data is used in routine administrative tasks.

The PII is a requirement of employment at CDC and therefore mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No processes in place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Platform follows all NIST administrative, technical, and physical controls as required under the moderate EMSSP.

IIF Collected = Yes

E-Authentication Assurance Level =

Risk Analysis Date = 12/10/08
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia Kittles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  1/5/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCCDPHP Contracts Tracking [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/2/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-01-02-1055-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CDC CCID NCPDCID OD NCCDPHP Contracts Tracking
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  The CoCHP Internet Platform provides dynamic web content to internal CDC staff in support of the Coordinating Centers for Health Promotion. The platform also hosts several applications for other Coordinating Centers.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Business Contact information is shared with internal staff.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  There are several applications that maintain business contact data.

The data is used in routine administrative tasks.

The PII is a requirement of employment at CDC and therefore mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No processes in place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Platform follows all NIST administrative, technical, and physical controls as required under the moderate EMSSP.

IIF Collected = Yes

E-Authentication Assurance Level =

Risk Analysis Date = 12/10/08
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia Kittles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  1/5/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCCDPHP External Platform (N/A) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/18/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NCCDPHP External Platform
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  The NCCDPHP External Platform serves dynamic Web sites to the general public, state and local health departments, prevention research centers, public health officials, and educational institutions in support of NCCDPHP programs.  The platform is designed to host applications that disseminate Low-category, public data and information; provide interactive features to users of the public Web site; and collect Low-category, public-domain data and information from NCCDPHP’s funded and unfunded partners.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.    There is a variety of data and information, including business contact information.
2.    Data/info dissemination; public health education; tools and training; program management; and program monitoring.
3.    No PII in the system.
4.    N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  10/18/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCEH/ATSDR Application Change Tracking System (ACTS) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/10/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC# 1672
7. System Name (Align with system Item name):  NCEH/ATSDR Application Change Tracking System (ACTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Carol Waller
10. Provide an overview of the system:  NCEH/ATSDR Application Change Tracking System (ACTS) is a client/server system using the AxoSoft’s Commercial-off-the-shelf (COTS) product called OnTime and a SQL server.  The software allows end-users to track various bugs within applications, automate various processes, enable project visibility, and track ongoing changes.  OnTime is an integral piece of ACTS.  ACTS is a product management suite application designed for bug tracking, requirements management, manage project visibility, a wiki, and help desk automation.  ACTS is installed on the user’s desktop and can send an email to a mailbox.  The NCEH Office of Informatics will use ACTS for tracking various bugs within applications, automating various processes, project visibility, and tracking of ongoing changes in several systems across NCEH/ATSDR.
ACTS is needed by the NCEH/ATSDR general users to track various bugs within their applications for better work efficiency and to streamline processes.  ACTS contains no Personally Identifiable Information (PII) of any sort and is a non web-based application.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) ACTS tracks various bugs within applications, automates various processes, enables project visibility, and tracks ongoing changes.

(2) ATS is designed for bug tracking, requirements management, manage project visibility, a wiki, and provides help desk automation.

(3) ACTS does not contain any PII.

(4) N/A.  The system does not contain any PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  The system does not have PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  8/19/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCHHSTP Manuscript Tracking System (MTS) 615 [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/10/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-9323-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 135
7. System Name (Align with system Item name):  Manuscript Tracking System 615 (MTS 615)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dr. Terence Chorba
10. Provide an overview of the system:  The MTS 615 application was developed to automate the 615 Clearance processes by which HHS reviews and approves the expenditure of funds for publications paid for by the Department and determining whether printing a particular product is an appropriate use of HHS funds.  To justify this, the clearance officer reviews the product's key messages, purpose, audiences and modes of distribution, specifications, and estimated costs. HHS must clear all publications funded by the Department if more than 50 copies will be distributed outside the Department.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A (No PII)
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A

No IIF Collected
EAAL = N/A
Risk Analysis Date = 26 April 2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  8/11/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCHS Automated Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/20/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  1329
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0164
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC ID = 197
7. System Name (Align with system Item name):  CDC NCHS Automated Tracking System (NCHSAT)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dawn Scott
10. Provide an overview of the system:  The NCHS Automated Tracking System (NCHSAT) is a GUI driven data management system which supports the address tracking of NCHS survey participants. Participant names and addresses are matched with United States Postal Service (USPS) address information files and/or National Change of Address Link (NCOALink) database
to collect information about participant migration and to collect updated address information.  This system assists NCHS with re-contacting survey participants to conduct follow-up survey activities and to improve the data quality of administrative records data linkage projects.                   
The data collection activity is authorized by Section 308(d) of the Public Health Service Act (42 U.S.C. 242m(d))    All information obtained will be held strictly confidential and will be used for statistical research purposes only.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Data in the NCHS Automated Tracking System are used by the OAE Special Projects Branch and the NCHS survey owners for statistical purposes. 

Survey participant name and mailing address is sent to the National Change of Address Link (NCOALink) and/or to Postmasters employed by the US Postal Service to confirm or obtain updated name and address information. 

The data contained within the NCHSAT is not shared with any other persons within NCHS or external to NCHS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  As the Nation’s principal health statistics agency, NCHS compiles statistical information to guide actions and policies to improve the health of the nation.  To carry out this mission NCHS conducts several major national health surveys designed to collect data about the health status and health behaviors of the nation’s population.  During the conduct of these surveys, respondents are informed that their participation is voluntary and that they may refuse to answer any questions.  Survey respondents are informed about the planned uses of the data and as part of the interview process are asked to provide personal identification information.  Names and addresses of subject survey respondents, collected during respondent interviews are loaded into the NCHS Automated Tracking system at the completion of the active data collection period.  The NCHSAT system is used to update name and address information through NCHS approved data collection and verification activities.  These activities involve matching current name and address information to the National Change of Address Link (NCOALink) database and/or contacting Postmasters employed by the US Postal Service to confirm name and address information for current residents. 

NCHS conducts survey participant tracking for two reasons:  1) to assist in re-contacting survey participants to conduct follow-up survey activities and 2) to improve the data quality of administrative records data linkage projects.  Longitudinal follow-up studies provide a tool to measure health outcomes and to observe the natural history of diseases.  By passively tracking survey respondent migration, NCHS reduces costs and increases survey response rates for key data collection activities.  Administrative record linkage projects serve to increase the analytic potential of NCHS population based health surveys for epidemiologic research by linking exposures to health outcomes (such as mortality) and increasing the accuracy and level of detail of health data.   Using the NCHSAT to collect accurate name and address information increases the accuracy of linking survey respondents to the correct administrative record, reduces the cost of survey respondent re-location after the initial survey contact, and results in less attrition in both longitudinal and linkage data collection efforts which improves the scientific value of the data.  Updating name and address information is the minimum activity necessary to locate survey respondent current residence.   

The activities of the NCHS Automated Tracking system support DHHS strategic goal 4 – Scientific Research and Development Objective 4.2 Increase Basic Scientific knowledge to improve human health and development.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  NCHS obtains verbal notice of consent from survey participants to collect IIF.   NCHS survey participants are always notified through the informed consent process that the provision of IIF is voluntary. The informed consent process informs survey participants of the intended uses of the data and the legislative requirements placed on NCHS to protect survey participant’s confidentiality.  NCHS Ethics Review Board requirements do not allow NCHS to deviate from the intended uses of IIF provided in the informed consent process. Section 308(d) of the Public Health Service Act (42 U.S.C. 242m(d)) prevents NCHS from disclosing identifiable information collected from survey participants for any use other than statistical research.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  ·          Authorized Users: Authorized users of the NCHSAT may include Project Directors, statisticians, and IT specialists on the NCHS staff.
·         Data Transmission Safeguards: Data is transferred via encrypted password protected CD to USPS licensee to obtain National Change of Address updates.  A confidentiality agreement is signed with vendor for the purchase and release of the NCOA data.  The Center’s bonded courier, the Federal Express, signs for the data and the data is returned in the same method.  Currently, confidentiality agreements with NCHS indicate we are not allowed to transmit such data via FTP and/or other methods to the vendor.  The files are sent via an AES (Advanced Encryption Standard) encrypted processing format and password is released under separate cover upon notification from vendor of receipt of file. Vendor agreements are approved by the NCHS Confidentiality Officer.
Address verification forms are sent to USPS designated Post Offices to the attention of USPS Postmasters for processing.  A letter explaining authorization for collecting the data and how it will be used is sent to the USPS Post Master.  
·          Physical Safeguards: The CD’s and hard copy printouts of records are stored in locked files or offices when not in use. Building security in Hyattsville, MD includes access controlled by a security guard and the use of identification badges by employees. The NCHSAT is updated with information extracted from CD’s and/or USPS forms, and once the update is verified as accurate, the CDs and forms are destroyed by shredder.
·          Procedural Safeguards: All employees of NCHS and contractor personnel with access to NCHS Automated Tracking records are required, as a condition of employment, to sign an affidavit binding them to nondisclosure of individually identifiable information to view an NCHS video tape addressing confidentiality and systems security, and complete annual recertification of IT Information Security Awareness Training. Periodic correspondence is sent to staff to reinforce confidentiality regulations, guidelines, and procedures. Protection for computerized records both on the mainframe and the CIO Local Area Network (LAN) includes programmed verification of valid user identification code and password prior to logging on to the system, mandatory password changes, limited log-ins, virus protection, and user rights/file attribute restrictions. Each user name is assigned limited access rights to files and directories at varying levels to control file sharing. There are routine daily backup procedures and a Vault Management System for secure off-site storage for backup tapes.
NCHSAT data is stored in a Microsoft SQL Server database.  This database can only be accessed by windows authenticated users granted privileges to the database.  Roles have been set up so that regular users can only access the data through the application.  Authorization to work on specific activities within the system is granted by the survey administrator.
·          Implementation Guidelines: These safeguards are established in accordance with guidelines in HHS Information Security Program Policy (http://intranet.cdc.gov/ociso/Security_Policy.doc ) and the NCHS Staff Manual on Confidentiality.  Security is provided for information collection, processing, transmission, storage, and dissemination in general support systems and major applications.
·          Disclosure review: The NCHS Automated Tracking system does not release data to the public.
·          Security review:   The NCHSAT is under review by internal CIO security experts
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  10/20/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCHS Management Information System (NCHS-MIS) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/16/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0169
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC #: 198
7. System Name (Align with system Item name):  NCHS Management Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Richard Connor
10. Provide an overview of the system:  The NCHS Management Information System is an automated tool that administrative staff in the Office of Management and Operations and the Office of the Center Director at the National Center for Health Statistics use to track administrative information so reports required by management can be produced.  The major type of information found in the MIS is current employee information.
The MIS is made up of the following modules: NCHS Staff Directory,Position Management, Awards, NCHS Budget Tracking, FTE Reporting, NTEU Time Tracking, Personnel Query, Historical Information Personnel, NCHS Org Chart, Flexiplace, Vacant Offices, OCD Correspondence Log, Personnel Reporting Retirement Eligibility, and Travel Conference.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Share names and addresses of recent NCHS retirees with NCHS Public Affairs Office (PAO).  PAO is in charge of the NCHS Retiree Luncheon and they mail each retiree an invite.

As per the Collective Bargaining Agreement between NCHS and NTEU, NCHS is required to supply NTEU with names and email addresses of bargaining unit employees.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The NCHS Management Information System is an automated tool that administrative staff in the Office of Management and Operations and the Office of the Center Director at the National Center for Health Statistics use to track administrative information so reports required by management can be produced.  The major type of information found in the MIS is current employee information.
The MIS is made up of the following modules: NCHS Staff Directory,Position Management, Awards, NCHS Budget Tracking, FTE Reporting, NTEU Time Tracking, Personnel Query, Historical Information Personnel, NCHS Org Chart, Flexiplace, Vacant Offices, OCD Correspondence Log, Personnel Reporting Retirement Eligibility, and Travel Conference. The submission of the PII data is Mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Per the CDC Implementing Instructions for the DHHS Information Security Program Policy (5.1), Identification and Authentication, access controls must utilize user or role based CDC approved authentication mechanisms as a basis for accessing objects or information. Procedures and rules are developed to govern establishing, activating, modifying, and terminating an account and the associated access rights.
Access to all CDC systems must be authorized by the appropriate manager and must include access rights (or privileges) commensurate with the user’s job responsibilities. The access assigned should reflect the level of confidentiality, sensitivity and value of the data and be safeguarded accordingly. Access must only be given to the information or systems that are necessary for the user to perform their job function. The procedures used to assign user access must be documented. Authorization for access assignment must be auditable.
Per the CDC Implementing Instructions for the DHHS Information Security Program Policy (5.1.1), Identification, CDC information resources shall be managed to ensure the appropriate degree of security, confidentiality, integrity, accessibility, authenticity, reliability, and accuracy based on the criticality and sensitivity of the information.
CDC-associated individuals shall be formally authorized for access to information resources not made available to the public, and shall exercise all authorized access to computer-based information and systems through an electronic identity (commonly called a "User ID" or a "computer account") that maps uniquely to her/him.  The computer-controlled limits on what can be done by the "User ID" will be expanded - from the standard default of no access - only enough to assure that the individual’s assigned duties can be performed, called the "least privilege" configuration.  In special circumstances, an individual may have more than one User ID assigned; but each such User ID must map uniquely to him/her and may only be used by him/her.
Authentication for resources is through the use of usernames and passwords.  Users and processes acting on behalf of users are uniquely identified through the various networks.  Login to the management application is handled by application-level authentication using a username and password.  Login to databases by other utilities and applications is handled by user rights assigned in the database.

IIF is collected and the proper controls are utilized to safeguard sensitive information.

E-Authentication Assurance Level = 3

Risk Analysis Date = September 17, 2009
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia P Kittles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  10/22/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCHSTP GAP Request (N/A) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/2/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC #: 1050
7. System Name (Align with system Item name):  CDC CCID NCPDCID CoCHP Intranet Platform NCHSTP GAP Request
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cindy Allen
10. Provide an overview of the system:  The CoCHP Internet Platform provides dynamic web content to internal CDC staff in support of the Coordinating Centers for Health Promotion. The platform also hosts several applications for other Coordinating Centers.

GAP Research Inquiries.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Business Contact information is shared with internal staff.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  There are several applications that maintain business contact data.

The data is used in routine administrative tasks.

The PII is a requirement of employment at CDC and therefore mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No processes in place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Platform follows all NIST administrative, technical, and physical controls as required under the moderate EMSSP.

IIF Collected = Yes

E-Authentication Assurance Level =

Risk Analysis Date = 12/10/08
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia Kittles
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  1/5/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCIPC Extramural Tracking System (NEXT System) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/18/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-02-00-02-9509-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 897
7. System Name (Align with system Item name):  NCIPC Extramural Tracking System (NEXT)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Robin Forbes
10. Provide an overview of the system:  The National Center for Injury Prevention and Control (NCIPC) Extramural Tracking System (NEXT) is an information and management system which provides the center a centralized tool that includes performance tracking for all extramural funding for NCIPC as well as historical data on funding recipients, external reviewers, project officer management and funding analysis.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) NEXT includes performance tracking for all extramural funding for NCIPC as well as historical data on funding recipients, external reviewers, project officer management and funding analysis.
(2) NEXT is a workflow system for tracking the publishing of Funding Opportunity Announcements and the award process for the CDC’s National Center for Injury Prevention and Control (NCIPC).
(3) NEXT does not contain PII.
(4) N/A.  Next does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  NEXT does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  The system does not contain PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  4/18/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NCIPC Success Stories Portal (SSP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/2/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1682
7. System Name (Align with system Item name):  NCIPC Success Stories Portal (SSP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Wendy Holmes
10. Provide an overview of the system:  The National Center for Injury Prevention and Control (NCIPC) is developing a NCIPC wide web-based portal system, Success Stories, that is designed for injury and response-related success story development and story archive, as well as related training and technical "on demand" assistance through a Help Avatar.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) SSP will collect and share injury/ response-focused success stories, capture health problems, share best practices, and showcase impact.

(2) NCIPC will use SSP to
·         Gain support for successful injury research and program-related projects
·         Educate on the importance of injury prevention and response
·         Recognize the accomplishments of NCIPC, its grantees, and partners within injury prevention and response practice
·         Make key audiences aware of the benefits NCIPC has to offer

(3) The information collected does not contain any PII.

(4) N/A.  The system contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The system does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system does not contain PII.
EAAL = N/A
Risk Analysis Date = 5/6/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L. Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/7/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC New Vaccine Surveillance Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/1/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-06-02-9224-00-110-031
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No, System does not constitute a “system of records” under the Privacy Act.
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC #: 1072
7. System Name (Align with system Item name):  New Vaccine Surveillance Network (NVSN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Wendi Kuhnert
10. Provide an overview of the system:  The system collects inpatient, outpatient, and well-child new vaccine surveillance data to evaluate the impact of new vaccines and vaccine policies. The data is used for multiple studies.  Data are analyzed by CDC or site personnel.  Results are presented at the Advisory Committee for Immunization Practices (ACIP), professional meetings and in peer-reviewed journals.  The audience is generally the public health scientific community.  Results have been used in the determination of U.S. vaccine policy and recommendations by the ACIP.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No, System does not share or disclose information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  NVSN collects data via seasonal active population-based surveillance for hospitalizations associated with acute respiratory illness (ARI) and acute gastroenteritis (AGE) in children who reside within specific counties.  Active surveillance is also conducted in emergency departments and outpatient clinics.  The surveillance data includes:  symptoms, diagnosis, interview information, lab results, and vaccine verification.  Research on the data will lead to changes in strategies and policies to maximize the effectiveness of the vaccines and create national level vaccine recommendations.  Date of Birth is the only PII contained in the system.  The inclusion of Data of Birth (or age) is mandatory because the effectiveness of vaccines is directly tied to the age of the patient and the patient data cannot be studied without it
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The Date of Birth is the only PII in the system.  The date of birth is never shared or disclosed by NVSN accept in aggregate statistical research results where 100s of patients are represented.  Thus, NVSN never shares or discloses any PII outside of research.  If, however, disclosure changes or other major changes do occur, the NVSN sites have a paper record of patient contact information to reach patients.  The patient’s parents or legal guardians will be called and notified to obtain consent and let them know how the information will be used or shared.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative controls: IIF data are backed up daily and copies stored in a separate facility. The SQL Server database administration is maintained by ITSO.  All modification to the database conforms to ITSO CM.  Technical controls: Access to the data is controlled by user ID and password in addition to the user ID and password needed to access the network. Physical controls include security guards, ID badges, cardkeys and cipher locks.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  12/1/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC Newborn Screening Quality Assurance Program [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/17/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-02-02-9221-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC #: 369
7. System Name (Align with system Item name):  Newborn Screening Quality Assurance Program (NBSQAP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Carol Bell
10. Provide an overview of the system:  The Newborn Screening Program conducts quality assurance for state and international laboratories which screen for treatable inherited metabolic diseases in children.  Effective screening by states, using dried blood spot (DBS) specimens collected from newborns soon after birth, combined with follow-up diagnostic studies and treatment, helps prevent mental retardation and premature death.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  NBSQAP does not share or disclose IIF information. Only the partner can view its own information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) NBSQAP collects and maintains test scores from various test laboratories and partner information.
2) The National Center for Environmental Health (NCEH) laboratory developed the Newborn Screening Quality Assurance Program (NBSQAP) for Inborn Errors of Metabolism, Sickle Cell Disease, and Other Hemoglobinopathies.  NBSQAP uses partner identifier (name) and a non-personal email address to exchange test results (all communications are between non-personal mailboxes).
3) NBSQAP contains no PII that is subject to the Privacy Act
4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  NBSQAP contains no PII that is subject to the Privacy Act
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Yes.  See attached E-Auth Appendix to the BSI.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  8/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NewBorn Screening Requisition Database (NBSRDB) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/18/2011
2. OPDIV Name:  CDC

3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  NewBorn Screening Requisition Database (NBSRDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Steve Vickery
10. Provide an overview of the system:  The NewBorn Screening Requisition Database (NBSRDB) is a non-web based application used by the NewBorn Screening and Molecular Biology Branch (NSMBB) to monitor purchases by recording requisitions in an Access database. The information contained in this system includes the following: the requestor, the receiving person, payment type, custodial account, order ID, justification, purchase date, required by date, supplier, catalog number, quantity, price, common account number, project code, object code, receipt information and maintenance contracts. The system can generate reports including spending summaries by accounting codes, vendor and requisition tracking. Some reports have a drill down for detailed account analysis. Reports can be exported to Miscrosoft Word, Excel or PDF format. Approximately 40 users have access to the system.  The team leaders decide which users have access to the system.  This system does not contain any Personable Identifiable Information (PII).
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No, this system does not contain any Personable Identifiable Information (PII).
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.  The program will collect requisitions used by the Newborn Screening and Molecular Biology Branch.
2.  The purpose is to be able to effectively manage the branch’s expenditures.
3.  This system does not contain any Personable Identifiable Information (PII).
4.  N/A - This system does not contain any Personable Identifiable Information (PII).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - This system does not contain any Personable Identifiable Information (PII).
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  5/18/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NH DNA Bank [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  10/20/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-03-02-9221-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  ESC# 1598
7. System Name (Align with system Item name):  NH DNA Bank (NHDNABANK)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Margaret Gallagher
10. Provide an overview of the system:  The Molecular Biology staff (now part of the New Born Screening and Molecular Biology Branch) is creating a DNA bank of samples from the NHANES study and other sources.  These samples are collected for genetic epidemiologic studies.  The branch has developed a custom front-end MS Access application, NH DNA Bank (NHDNABANK), which is used for tracking specimens, recording laboratory processing and quality control.  The application automatically assigns the unique IDs for sample and process identification and provides other useful functions to the laboratory staff.  Reports and bar-coded sample labels are provided by this application.  The NHDNABANK system contains no Personable Identifiable Information (PII) of any sort
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  NHDNABANK does not contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) Sample information from the NHANES study and other sources.
(2) Samples are collected for genetic epidemiologic studies.
(3) NHDNABANK contains no PII.
(4) N/A. NHDNABANK contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A. NHDNABANK contains no PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A.  NHDNABANK contains no PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  10/20/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Administrative Platform (NIOSH AP) [SYSTEM]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/14/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  NIOSH Administrative Platform (NIOSH AP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Kenneth W. McKneely
10. Provide an overview of the system:  NIOSH AP is a NIOSH system designed as a platform for internally developed administrative applications with common architectural design elements, information types and low security categorization impact levels.  The NIOSH AP will contain systems which have administrative purposes including information dissemination, employee resources, and other data important to NIOSH administrative function.  NIOSH AP will be used for additional future applications that reuse the code base for similar purposes. Additions and other changes to NIOSH AP will be made either via the Change Management Process for minor changes or via resubmitting the Authorization Package for major changes.
The NIOSH AP system is designed to allow access to data hosted on ITSO managed Microsoft SQL Servers running in the DSS. Frontend access is via Microsoft IIS Web Servers hosted in the DSS or Microsoft Access Project files hosted on the CDC network to backend. All of the servers are maintained by ITSO and conform to the CDC Secure Baseline Configurations. No Legacy Microsoft Windows 2000, SQL 2000, or prior version servers are employed in the NIOSH AP system. The systems will be maintained on the current CDC ITSO recommended and managed Microsoft web server and database management platforms.    
NIOSH AP consists of several applications:
DSHEFS News and Social Media Feed System - (\\cdc\project\NIOSH_DSHEFS_OCCHazards\RSSPrototype.adp) - This system will allow users to subscribe and combine RSS feeds into a database on any topic of their choice.  The feed sources can be any RSS feed including news feeds or social media sites that support feeds (e.g. “Twitter”).  Feeds can be based on keywords spanning several sources.  The system can then further filter the information using SQL full-text search capabilities.  The resulting database is updated on a scheduled basis (currently on a once daily basis).  This database is accessed by an MS Access ADP front-end application.   This Access front-end provides utilities to systematically review the data that has been pulled and mark it as relevant for any topic of interest.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative – User are granted access to NIOSH IntraApps when authorized by the lab administrator. 

Technical - Data is secured through security settings in the application and SQL Server.

Physical – The SQL server is located in a server room with limited access in a building secured with guards, id badges, key cards and closed circuit TV.

PII no
E-Auth Level = N/A
Risk Analysis date: 2/1/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  7/25/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH DSHEFS Industry Wide Studies Branch (IWSB) Data Management System (IDMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/14/2009
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-05-02-9522-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0147
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  Industry Wide Studies Branch (IWSB) Data Management System (IDMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Patricia Laber
10. Provide an overview of the system:  The IDMS facilitates cohort mortality and cohort morbidity study data processing.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Portions of IDMS records (name, Social Security number if known, date of birth, and last known address) may be extracted from the system to match with external systems in order to determine vital health status, causes of death, and location information. This enables NIOSH to evaluate whether excess occupationally related mortality or morbidity is occurring.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Studies carried out under this system evaluate mortality and morbidity of occupationally related diseases and injuries, to determine their causes, and to lead toward prevention of occupationally related diseases and injuries in the future.

The system collects and maintains PII information including individual’s names, phone number, date of birth, race, gender, ssn, address, vital status, death information including causes of death, and job assignment history.  Additional information, such as smoking history, may also be collected based on the needs of the individual study.

Dissemination is through study publications in summarized, non-identifiable format. Determinations for individual requests for disclosure are made by the Privacy Act Officer and through the FOIA office.

Collection of records is authorized without individual workers’ consent.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The information in IDMS is a subset of the information covered by the Privacy Act System Notice 09-20-0147. The system notice contains provisions for notifying individuals when substantial changes are made to the system of records.  IDMS does not provide any additional notification provisions.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative – User are granted access to IDMS when authorized in writing by the researcher responsible for the study. 

Technical - Data is secured through security settings in the application and SQL Server.

Physical –  The SQL server is located in a server room with limited access in a building secured with guards, id badges, key cards and closed circuit TV.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Felicia P. Kittles  OCISO C&E PM
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  1/20/2009
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Engineering Controls Database (NECD) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  6/6/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIOSH Engineering Controls Database (NECD)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dawn Farwick
10. Provide an overview of the system:  The purpose of the system is to provide NIOSH staff an internal online database tool that contains summaries of all NIOSH engineering controls developed or tested by NIOSH researchers.
The data are summaries written from previously published reports, journal articles or presentations, describing engineering controls researched by NIOSH engineers.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Summaries of all NIOSH engineering controls developed or tested by NIOSH researchers.
The data are summaries written from previously published reports, journal articles or presentations, describing engineering controls researched by NIOSH engineers. No PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  6/6/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Intranet Platform
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/2/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  NIOSH Platform for Intranet Applications (NIOSH IntraApps)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Kenneth W. McKneely
10. Provide an overview of the system:  NIOSH IntraApps is a NIOSH system designed as a platform for internally developed intranet web applications with common architectural design elements, information types and low security categorization impact levels. NIOSH IntraApps will be used for additional future applications that reuse the code base for similar purposes. Additions and other changes to NIOSH IntraApps will be made either via the Change Management Process for minor changes or via resubmitting the Authorization Package for major changes.
The NIOSH IntraApps system consists of frontend Microsoft IIS Web Servers running ASP.NET application hosted in the DSS connecting to backend Microsoft SQL Servers running in the DSS. All of the servers are maintained by ITSO and conform to the CDC Secure Baseline Configurations. No Legacy Microsoft Windows 2000, SQL 2000, or prior version servers are employed in the NIOSH IntraApps system. The systems will be maintained on the current CDC ITSO recommended and managed Microsoft web server and database management platforms.
NIOSH IntraApps consists of several similar web applications:
RATS – Radionuclide Tracking System (http://ratsdev.cdc.gov). A supplemental application used to assist the Radionuclide Safety Officer in generating reports and tracking radioactive waste including calculating the radioactive decay of the waste.
OAMS Intranet – (http://morgantowndev.cdc.gov). A data-driven site for OAMS – Morgantown used to provide safety, service, and labor management information to Morgantown employees/contractors.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative – User are granted access to NIOSH IntraApps when authorized by the lab administrator. 

Technical - Data is secured through security settings in the application and SQL Server.

Physical – The SQL server is located in a server room with limited access in a building secured with guards, id badges, key cards and closed circuit TV.

N/A – No PII is collected.
EAAL = N/A
Risk Analysis Date = 2/1/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/7/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Partnership Database (PDB) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/22/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-20-0055
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIOSH Partnership Database (PDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Eric Knutsen, Security Steward
10. Provide an overview of the system:  The purpose of the system is to provide NIOSH management and the r2p office an internal online database tool that captures and displays quality partnership information.  NIOSH management has specified the need for tracking and managing NIOSH partnership information.
The system will aid the NIOSH r2p office in tracking NIOSH partnership information, as well as provide NIOSH management a comprehensive listing of NIOSH partners engaged in occupational safety and health research and practice activities.   The database will be able to provide information for the compilation of partnership reports and enough detail to understand the level of involvement between NIOSH and the partner.
NIOSH management and the r2p office need to understand how NIOSH is partnering with external entities so they may fulfill the following functions:
1)       report programmatic interactions with current partners,
2)       take action on maintaining current partnerships,
3)       communicate with partners on specific occupational safety and health topics, and
4)       facilitate or develop new partnerships.
Partnership information includes: partner organization, partner organization individual contact information (person name, address, phone, email, web info), NIOSH employee contact information, partnership involvement description (agreements, projects, committees, standards setting bodies, contact etc.)
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Contains business directory information that could include PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1) The purpose of the system is to provide NIOSH management and the r2p office an internal online database tool that captures and displays quality partnership information.  Partnership information includes: partner organization, partner organization individual contact information (person name, address, phone, email, web info), NIOSH employee contact information, partnership involvement description (agreements, projects, committees, standards setting bodies, contact etc.)
2) The system will aid the NIOSH r2p office in tracking NIOSH partnership information, as well as provide NIOSH management a comprehensive listing of NIOSH partners engaged in occupational safety and health research and practice activities.
3)Yes
4)Voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1) Any submission of personal information is voluntary and not required by the system.  The system contains business directory information that could contain PII (a personal phone number, address or email).  A process is in place to protect personal emails, addresses and phone numbers in the database when identified.  Business directory information is within the public domain so is not considered PII.
2) The system pulls partner name and contact information from other data sources across NIOSH (including NORA sector contact lists, project planning system, and extramural program data sets).  Data owners of the source partner data are responsible for working with NIOSH partners to inform them of how their information is used and tracked within NIOSH. When the r2p office is the data owner, we will verbally indicate to the partner how their information will be used.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Partner contact information is hidden from all non-administrative (view-only) users using a technical control on the UI.  Only administrative users in the r2p office can view partner contact information.  Administrative users are limited to the r2p office (approx. 5 r2p staff).  NIOSH POCs are also assigned to each partner.  NIOSH POCs will need to be consulted prior to contacting partners or releasing/using information. Any hard copies of partner contact names or contact information are kept under lock and key in a secure file area in the r2p office. The partnership database is also secured on NIOSH property.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  8/22/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH SAS/Intrnet Platform (NSIP) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/24/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIOSH SAS/Intrnet Platform (NSIP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ken McKneely
10. Provide an overview of the system:  The NIOSH SAS\Intrnet Platform (NSIP) is a platform for NIOSH applications that use the SAS\Intrnet  which provides a method for using SAS in a web-client application.  It consists of the following systems:

CWHSP:
The Coal Workers' Health Surveillance Program (CWHSP) is a federally mandated worker medical monitoring program.   Its intent is to prevent early disease from progressing to advanced pneumoconiosis.   Under this program underground miners have the right to obtain periodic chest radiographs.   Individuals having certain indications of disease then have the right to transfer to a low dust occupation in the mine.   The program is operated by the National Institute for Occupational Safety and Health (NIOSH), which has maintained the information from this program since its inception in 1970.   The data can be queried to produce tables and maps using the interactive system below.   Further information about the program is available at http://www.cdc.gov/niosh/topics/surveillance/ords/CoalWorkersHealthSurvProgram.html.

NORMS:
The National Occupational Respiratory Mortality System (NORMS) is a data-storage and interactive data-retrieval system developed and maintained by NIOSH as an external-facing application since July 2004.   NORMS is a compilation of national mortality data obtained annually (since 1968, unless otherwise indicated) from the National Center for Health Statistics (NCHS) multiple cause-of-death  records.   Industry-specific and occupation-specific mortality data are included (1985-1999, unless otherwise indicated) for a selected list of states (and years) for which industry and occupation coding from death certificates met NCHS quality criteria.
Deaths from these conditions are defined on the basis of International Classification of Diseases  (ICD) coding categories.  NORMS compiles mortality data for the total number of U.S. residents identified with selected respiratory conditions listed as a multiple cause of death, underlying cause-of-death,  and for the subset of decedents where the respiratory condition is listed only as a contributing cause-of-death.   Additional information is available by age group (0-14, 15-24, 25-34, 35-44, 45-54, 55-64, 65-74, 75-84, or 85 years and older), race (white, black, or other), Hispanic origin , sex, and state and county of residence at the time of death.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1)  
a.    CWHSP:  The system will disseminate summary data on the number, prevalence, and severity of coal workers’ pneumoconiosis for coal miners participating in the CWHSP x-ray program, 1968-present, in the form of tables, charts and thematic maps.  The system will have the capability of grouping results by various combinations of year, severity of disease, age group, and region, state, or county of the underground coal mine where each participating miner was employed.
b.    NORMS:  This system uses the subset of those data with any respiratory disease or condition listed at http://webappa.cdc.gov/ords/norms-icd.html and http://isx-morg1/drds/jrw5/niosh/topics/norms-icd.html that was coded as a multiple cause of death or as the underlying cause of death.  The system disseminates summary statistics for the number, death rate, years of potential life lost, and mortality ratio of respiratory diseases by age, race, gender, state, county, and/or usual industry and/or occupation.
(2)  The information will be available for public use.
(3)  The information does not contain PII.
N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  1/26/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Surveillance Platform (NIOSH Surveillance-Plat) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/9/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 1097
7. System Name (Align with system Item name):  NIOSH Surveillance Platform (NIOSH Surveillance-Plat)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ken McKneely
10. Provide an overview of the system:  The NIOSH Surveillance Platform is a collection of systems with common security requirements and data classifications.  It consists of the following systems:

eChartbook – The Worker Health eChartbook web site is a descriptive epidemiologic reference on occupational morbidity and mortality in the United States. A resource for agencies, organizations, employers, researchers, workers, and others who need to know about occupational injuries and illnesses, the Chartbook includes more than 10,000 figures and tables describing the magnitude, distribution, and trends of the Nation’s occupational injuries, illnesses, and fatalities. It is a classic ASP application. 

ABLES - The ABLES Interactive Query System is an ASP.NET application that uses web forms to query data from a SQL Server database. The data is Adult Lead Exposure cases throughout various states subscribed to the ABLES program. The default page contains links to various html files containing informational tables and interactive graphs and charts. There are list boxes allowing the user to filter their query results which are rendered in SQL Reportviewer on a separate aspx page. The report contains a table of cases by state and year along with a bar chart of occupational counts which are downloadable in pdf or excel format.

Firefighter Fatality Website - The Interactive Map of U.S. Fire Fighter Fatalities will be a queriable fire fighter fatality map displaying geocoded fatalities by user selected parameters such as year (beginning in 1990), state, fire fighter demographics, department characteristics, and nature of the fatality event (see Figure 1). Fatalities with pending and/or completed NIOSH investigations (beginning in 1996) will be uniquely marked and may be selected as well. An information bubble for each selected fatality will provide case specific details about the firefighter and the incident as well as links to completed NIOSH investigation reports when available. A second map subsite will display information about nonfatal incidents with completed NIOSH investigations.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF collected
EAAL = N/A
Risk Analysis Date = 3/22/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P Madden
Sign-off Date:  9/29/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSH Wireless Local Area Network (WLAN) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/17/2011
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC# 620
7. System Name (Align with system Item name):  NIOSH Wireless LAN (WLAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Vijande Burr
10. Provide an overview of the system:  Provides Wireless CDC Network access for HELD lab service personnel and management conducting research.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  No
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  No
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  5/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIOSHTIC-2 [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/19/2012
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  009-20-01-05-02-9522-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC ID: 1049
7. System Name (Align with system Item name):  CDC NIOSHTIC-2
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  William D. Bennett
10. Provide an overview of the system:  NIOSHTIC-2 is a searchable bibliographic database of occupational safety and health publications, documents, grant reports, and other communication products supported in whole or in part by NIOSH. The NIOSHTIC-2 website allows members of the occupational safety and health community to build simple or advanced queries, and to view, print, or download the results in multiple formats. NIOSTIC-2 also has a thick-client component. This Windows-based program allows the administrators and data entry staff to add new and to modify existing NIOSHTIC-2 database entries.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Beverly E Walker
Sign-off Date:  1/19/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / CDC NIP Registry Sentinel Project [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/15/2010
2. OPDIV Name:  CDC
3. Unique Project Identifier (UPI) Number:  01-04-02-9322-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  ESC #: 1367
7. System Name (Align with system Item name):  NCIRD Registry Sentinel Project (Sentinel)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Karen Cullen
10. Provide an overview of the system:  To understand changing patterns of acceptance of immunization soon enough to properly respond, the public health community requires an instrument that can monitor the public’s response to events in a timely manner.  NCIRD Sentinel Sites report aggregate immunization coverage data to NCIRD on a quarterly basis through a web-based data entry system.  The data is stored in a SQL Server database from which standardized charts are generated for review by the CDC Data Manager.  The system contains business contact information (name, phone and fax numbers and email address) of the state health department employee who does the data entry.  All other data provided by the sentinel sites do not contain IIF.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Sentinel Sites will provide NCIRD with aggregate vaccination coverage information and data quality measurements both quarterly and on an ad-hoc basis. Sentinel Sites evaluate quarterly the current coverage of 4:3:1, 4:3:1:3, 4:3:1:3:3, 4:3:1:3:3:1 in the 19-35 month old population of their sentinel group and compare those numbers with estimates from the most current National
Immunization Survey. Sentinel Sites also report quarterly on the number of doses of DTaP, polio, varicella, Hib, Hepatitis B, Hepatitis A, PCV7, and MMR administered to various age groups within the sentinel group.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  No IIF Collected.
E-Authentication Assurance Level = 1
Risk Analysis Date = 6/3/2010
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Kerey L Carter
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Thomas P. Madden
Sign-off Date:  7/25/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top