Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Food & Drug Administration Privacy Impact Assessments

06.3 HHS PIA Summary for Posting (Form) / FDA CDER Adverse Event Reporting System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/1/2010
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-03-01-1010-00-110-032
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CDER Adverse Event Reporting System (AERS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Jeanette Somerville
10. Provide an overview of the system:  Drug Safety (Adverse Event Reporting System-AERS) is a computerized information database designed to support the FDA's post marketing safety surveillance program for all approved drug and therapeutic biologic products.  The ultimate goal of Drug Safety (AERS) is to improve the public health by providing the best available tools for storing and analyzing safety reports.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system does not require collection of any IIF data for successful submission.  However, some physicians, hospitals, or public may voluntarily submit IIF data, for example, social security numbers and patient names.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Voluntary reporters have the option to report or not, to include their IIF or not, and if included, to select a check box requiring that the data be redacted when shared with anyone else. There will be a consent page on spontaneous reports explaining the process to the reporter. Mandatory reports are created by the importer/manufacturers and include what IIF may be known to them. They can likewise express the patient’s consent to sharing IIF through the same checkbox method. The consent form will specifically include all future uses, and will direct the user to the FDA web page that will detail any change in expected use of the data.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The security plan as it relates to the implementation has not yet been written, but there will be non-functional requirements that mandate such security. There is an administrative and technical control by use of password and user identification and the system will be located at a secure facility.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  8/27/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDER Electronic Listing [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  11/4/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CDER Electronic Listing
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ida Milner
10. Provide an overview of the system:  The Center for Drug Evaluation and Research (CDER), Electronic Listing (eList) system supports the FDA’s overarching mission to safeguard and promote the health of the public. Several business missions fuel this project. First is the provision of a means for industry to begin submitting product listing and registration electronically in XML format. XML format is compatible with Health Level-7 (HL-7), which is becoming a healthcare standard.

eList employs a technological environment enabling the FDA to electronically and reliably generate up-to-date Structured Product Labeling (SPL) format labeling for all drug products marketed in the United States. SPL file information contains the following medication data:

- How to use medication - dosing recommendations and monitoring use
- When to use medication - indication, clinical effects (e.g., interactions and adverse events), activity (e.g., mechanism of action), other information about the use of the medication
- Description of the medication - names, ingredients, strength, appearance, dosage form
- How the medication is supplied - name, package type, quantity
- Distributor of the medication
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  eLIST serves as a central data holding place for drug registration and listing.  The information collected including manufacturer, registration information including register number, FEI number, company name and address etc. and drug listing information include ingredients of the drug, package of the drug, and the usage of the drug.
The information collected will be used for the purpose of validation and the purpose of drug label publish (to the public)
The information are collected by mandate.
The vendor point of contact information is redacted from the system before it goes to the public.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/8/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDER Special Products Online Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/5/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-020200110 246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Special Products Online Tracking System (SPOTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Michael Folkendt
10. Provide an overview of the system:  The Special Products Online Tracking System (SPOTS) is an internal FDA intranet application which supports the tracking of all ingredients (active or inactive with certain specific exceptions) derived from plant (except highly purified compounds), animal, microorganism and recombinant technology used in pharmaceutical products that are the subject of a Center for Drug Evaluation and Research (CDER) New Drug Application (NDA), Abbreviated New Drug Application (ANDA), or Investigational New Drug Application (INDA).
SPOTS enables CDER to rapidly identify NDA, ANDA, and IND applications that contain one or more plant or animal-derived ingredients and generate list of related drug applications based on the animal or plant used, the tissue or plant part used, and/or the ingredient source country.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The SPOTS application is used by the drug product quality review staff primarily located in the Office of New Drug Quality Assessment (ONDQA), Office of Biotechnology Products (OBP), and the Office of Generic Products (OGD).  All three offices are located under the Office of Pharmaceutical Science (OPS).  The Office of New Drug Quality Assessment is the Business owner and administrator for this system. 

The SPOTS application serves as a database to track applications that contain, or use as part of the drug manufacting process, animal-derived, plant-derived, or biotech-generated ingredients.  The reviewers add to the database as they review applications that meet the SPOTS criteria (contains relevant ingredients).

For all plant, animal, and microorganism-derived ingredients, the system is used to keep a record of the country of origin (source) and the start and stop dates when ingredients are sourced from a given country or region.  For animal (including human) derived products, the system also records the tissue used.  For plant-derived ingredients, the system tracks the plant common name and plant part used, if known.  For products derived from microorganisms, the type of organism used it tracked (i.e., bacteria, yeat, fungus, plant, insect or mammalian).

CDER can quickly and accurately search for and generate a list of NDA, ANDA, and IND applications that contain one or more plant or animal-derived ingredients based on the animal or plant used, the tissue or plant part used, and/or the source country.  System access and use is restricted.  No personnel outside of CDER have access to the SPOTS system.  Within CDER, Drug Product Quality Users are given CREATE (i.e., data entry) privileges.  Before new data is committed to the system, it is first reviewed by an administrator.  Other CDER users are limit to Search only access.

No personally identifiable information (PII) is collected in SPOTS.  Because the system does not contain PII, the question of whether submission of personal information is mandatory or voluntary does not apply.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  SPOTS does not collect, contain or disseminate PII.  If FDA's practices change to include collection or dissemination of PII via SPOTS, FDA will implement a process to notify and obtain any necessary consent from individuals, such as direct email or a form available on line.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  3/7/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDER Substance Registration System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/1/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-01-0303-00-110-032
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CDER Substance Registration System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Alex Schultz
10. Provide an overview of the system:  The overall purpose of the Substance Registration System (SRS) is to support health information technology initiatives by generating unique ingredient identifiers (UNIIs) for substances found in drugs, biological products, foods, and medical devices. The UNII is a non-proprietary, free, unique, unambiguous, non-semantic, alphanumeric identifier based on a substance’s molecular structure and/or descriptive information.  SRS enables FDA to efficiently, effectively, and reliably maintain UNIIs for substances in drugs, biologics, foods, and devices, and make them available as a common substance terminology for free use in health information systems.

SRS features are combined with the features of the Center Ingredient Dictionary (CID) application within a modern application environment that efficiently integrates software created by MDL Information Systems within a Java 2 Platform Enterprise Edition (J2EE) environment. This enables the system to provide enterprise-wide integration with other FDA applications.

13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Substance Registration System (SRS) collects and maintains data and descriptive information on substances that are ingredients in drugs, biological products, medical devices and foods. The information consists of the name of the substance, descriptive information[C1]  and the unique ingredient identifiers (UNIIs) generated by the system for each substance. The UNII is a non-proprietary, free, unique, unambiguous, non-semantic, alphanumeric identifier based on a substance’s molecular structure and/or descriptive information. FDA uses SRS to efficiently, effectively, and reliably maintain unique identifiers for ingredient substances and make them available as a common substance terminology that can be used in health information systems.

No personally identifiable information (PII) is collected or maintained in SRS.  Because the system contains no PII, the question of whether submission of personal information is mandatory or voluntary does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  SRS does not contain PII and is not subject to the Privacy Act. If FDA’s practices change to include collection or dissemination of PII via this system, FDA will implement a process to notify the effected individuals, such as by direct or agency-wide email.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/6/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDRH Center Electronic Submissions [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/23/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-5030-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  5344
7. System Name (Align with system Item name):  FDA CDRH Center Electronic Submissions (CeSub)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Paul Fisher
10. Provide an overview of the system:  Under the Medical Device Amendments of 1976, manufacturers of medical devices--including but not limited to x-ray machines, pace makers and breast implants--are required to submit applications to the FDA for approval to ensure that these products are safe, effective, and labeled properly before they become available on the market. 

The Center for Devices and Radiological Health (CDRH) receives and reviews thousands of submissions from regulated industry and consumers seeking FDA approval to market new devices and products, as well as to track changes and adverse events related to approved products.  These submissions traditionally have been scanned into the electronic document management system "Image 2000".  The CeSub project is based mostly upon the Image 2000 knowledge and document management system, and it adds functionality to permit the receipt and review of electronic submissions.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Under the 1976 medical device amendments to the Food, Drug, and Cosmetic act, the Food and Drug Administration is mandated to collect and analyze manufacturer data related to the safety and efficacy of medical devices before they may be marketed in the US.  The information contained in CeSub represents the official record of submissions from manufacturers.  This includes Premarket Notifications 510(k), Premarket Approvals (PMAs), Investigational Device Exemptions (IDEs), labeling data, medical device reporting, and establishment registration and medical device listing forms.  In addition, all FDA decision letters and any supplemental information requested from the manufacturer are stored in the Cesub Image 2000 repository.  Data within the system may include the submitter's name and contact information.
21 CFR 1002.7 gives FDA authority to define what information we want in a reporting guide.  CDRH determined that contact information must be provided. 
21 CFR 1002.7 requires a signature by the submitter because a responsible individual must be identified. Having that person's name in printed form so it is legible is necessary. Similarly 1002.10 requires the name of the manufacturer - since companies can have similar names, address information is required to uniquely identify the manufacturer. The location of manufacturing facilities is also specifically required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no notice and consent procedures specific to this system.  Submitters receive notice as displayed on submission forms, on fda.gov where submission processes are described and where a link to the FDA website and privacy policy is permanently displayed, as well as within the relevant statute, published regulations and related Federal Register notices.  Individuals serving as points of contact responsible for submitting information on behalf of manufacturers may update or correct their contact information by advising FDA via phone, email, or in the course of submitting records to FDA. If FDA's privacy practices change or FDA changes its collection, use, or sharing of PII data in this system, the individuals whose PII is in the system will be notified by the most efficient and effective means available and appropriate to the specific change(s). This may include a formal process involving written and/or electronic notice, or informal processes such as email notice to the individuals.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information contained within this system is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the CDRH Center Electronic Submissions system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  3/26/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDRH Center Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/12/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-09-02-0513-00-110-032
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  009-000267063
7. System Name (Align with system Item name):  FDA CDRH Center Tracking System (CTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Steven Garelick
10. Provide an overview of the system:  The Center Tracking System (CTS) is a workflow, work management, and tracking system which supports a variety of pre-market and post-market business processes in the Center for Devices and Radiological Health.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Name and contact information is not shared with the public, but is shared within FDA by various applications for purposes of registration, listing, and further contacts with the document submitter.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  CTS is a web based application for workload management and tracking, which contains information related to the pre-market submission review process. 
CTS`s chief function is to track the progress of pre-market documents through the review process.  Specific activities or processes currently supported by CTS include Premarket Division Tracking, Clinical Laboratory Improvement Act submissions, Requests for Designations, Condition of approvals, Device Nomeclature data, Postmarket Surveillance Studies, Compliance Operation Program Support, and eConsults.  Contact information that appears in CTS is that supplied by the companies submitting premarketing documents, and work location information on CDRH personnel assigned to review those documents.  Firms submitting these documents must supply contact information.

Information about devices that have successfully completed any required pre-market review by the FDA is made public through the CDRH and FDA Freedom of Information Act (FOIA) Offices.  Information about devices that are under review, or which were not approved, is not shared.  The business contact information in CTS is also not published, but can be made available under a Freedom of Information (FOI) request.

The PII in the system is primarily business submitter contact information included with legally required submissions, and, internal FDA personnel data such as name . This information is necessary to enable FDA to process and respond to submissions.  The submitted materials may also include legal documents and device identifiers that could potentially constitute PII (be used to identify an individual).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no formal notice and consent procedures specific to CTS.  External submitters provide their contact information as a practical requirement in order to communicate with FDA about submissions. System users (FDA employees/contractors) are advised at the CTS login screen that they are accessing a U.S. Government information system, their system usage may be monitored, recorded, and subject to audit, unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording. If FDA's privacy practices change or FDA changes its collection, use, or sharing of PII data in CTS, the individuals whose PII is in the system will be notified in the most efficient and effective form available and appropriate to the specific change(s). This may include establishing a formal process involving written and/or electronic notice.  Alternatively, notification will be made by informal processes such as email notice to the individuals.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information contained within this system is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the CDRH Center Electronic Submissions system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  3/16/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDRH Mammography Program Reporting Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/12/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-4060-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  0910-0309
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CDRH Mammography Program Reporting and Information System (MPRIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Timothy Haran
10. Provide an overview of the system:  Under the Mammography Quality Standards Act (MQSA), all mammography facilities must be accredited by an approved accreditation body, certified by the FDA, and inspected annually in order to legally provide mammography services in the United States. Likewise, mammography facility medical personnel must also meet qualification standards. 

FDA’s Center for Devices and Radiological Health (CDRH) employs the Mammography Program Reporting and Information System (MPRIS) to maintain inspection data and facility information, and, manage the inspection and reporting process.  Information in MPRIS is shared with authorized FDA employees and contractors, and with the Centers for Medicare and Medicaid Services (CMS). The information provided to CMS is limited to facility certification data and does not include personally identifiable information (PII).
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A.  PII is shared only with authorized FDA employees and contractors; it is not disclosed outside FDA.  PII in MPRIS is not matched against PII in other systems, and no other organization or systems are dependent on the PII in MPRIS.  Because MPRIS is not subject to the Privacy Act, there are no formal notification processes in place.  Individuals who have questions or complaints, or wish to correct their PII (contact info, ID number) may contact system or program management
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected in the Mammography Program Reporting and Information System (MPRIS) includes the name and physical location of each mammography facility, along with the facility mailing address, telephone and facsimile numbers, the types and number of mammography equipment in use, and PII consisting of the names of facility personnel, including official contacts for accreditation, billing, and compliance matters.

The facility information is collected by FDA inspectors, FDA-approved accreditation bodies, and by State inspectors working under contract to FDA, in the course of mandatory annual facility inspections. This information is required by, and used in keeping with, the provisions of the MQSA and related FDA regulations (21 CFR Part 900) to contact the regulated facility regarding FDA matters, to determine their certification status, to schedule inspections, and to determine the compliance of the facility and facility personnel with the MQSA and related regulations.

The CDRH Division of Mammography Quality and Radiation Programs (DMQRP) also collects information in MPRIS regarding the State inspectors working under contract with FDA. This data is obtained from State authorities at the time of contract signing, and it is limited to publicly-available information, including PII consisting of inspector name, office address, and office telephone and facsimile number. Submission of this information (PII) is mandatory.  It is not required by statute but is necessary in order for FDA to contact inspectors and provide technical support, equipment, and policy guidance when necessary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no formal notice and consent procedures available for individuals whose PII is contained in MPRIS.  State inspectors may correct their PII data (name and work contact information) and submit any data use or sharing concerns by contacting the appropriate FDA/MPRIS office.  System users are advised at log in to the system that it is for use by authorized personnel only, that system use may be monitored and that by using MPRIS they consent to monitoring. If FDA’s privacy policies and practices change, the effected individuals will be notified electronically by email directly to the individuals, to the facility, and/or to the State office(s) through which FDA contracts with the State inspectors.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within MPRIS is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within MPRIS
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  4/20/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CDRH Traction [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/9/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not Applicable
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  CDRH Traction
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Don Ngo
10. Provide an overview of the system:  Traction is a permission filtered, collaborative tool used exclusively on FDA’s internal network by FDA employees and contractors (collectively referred to as employees or personnel). Personnel may use Traction for a variety of purposes: to share information, collaborate on issues, manage documents, and stay informed about current activities in their office, center, and throughout FDA.

FDA personnel log in and navigate to their team/department’s workspace within Traction.  They can choose to create a new article (similar to email in composition), comment on an article (continuing a conversation), or upload documents to the shared folders portion of their workspace.  Traction stores text-based information in a database file and provides a place, called a journal, for personnel to create, share and discuss work related documents, data and FDA projects.  As new content is added, the journal will be updated with new content and links to documents which are stored in the application.

The journal is a structured query language based (SQL-based) database which is managed using commands developed by the vendor, Traction Software.  These commands are included in the Traction install package and are executed by a local FDA Traction System Administrator when maintenance is needed.  Database maintenance is not needed on a regular basis.  All non-text based data (documents, spreadsheets, attachments) is stored directly on the host server and can be accessed at a server level.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Not Applicable. Information in the system is not shared externally. .  No systems are dependent upon the PII in Traction.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Traction is an internal collaborative tool used by authorized FDA personnel (employees and contractors) to communicate in the course of their work.  Traction stores text-based information in a database file or “journal” providing a place for Agency personnel to create, discuss and share specific work related documents or data. The database file is called a journal. 

Personnel who use Traction will have one data item automatically associated (not optional) with their use: their name.  Submission of any other PII is voluntary and at the discretion of the user. For example, personnel may opt to create a user profile within the application.  If they do so, their work contact information consisting of their work email address, work phone number, and work office location/mailing address is automatically retrieved from FDA’s Enterprise Administrative Support Environment (EASE) system.  Updated data is electronically fed to EASE on a nightly basis by the HHS Enterprise Human Resources and Payroll (EHRP) system where it is collected from personnel at the time of hire.  The purpose for including the work contact information in Traction is to enable personnel to communicate and collaborate with one another; this is the overall purpose of Traction. Accordingly, in order to effectively share and collaborate on work, users’ name, and, work information (if they created a profile) is displayed and/or available to others using Traction. 

Personnel may also choose to include PII within their profile or within open text fields when discussing a topic within Traction.  Users may also post outside information of interest to FDA personnel or related to FDA projects for other users to view within Traction such as the text of articles or documents or links to such items. 

Training on Traction is available to all personnel.  In the course of the training, personnel are advised against disclosing PII in their use of Traction and informed of the Agency-wide accessibility of information they provide. All employees and contractors are also given explicit notice at network login that their use of the network and FDA systems is not private, and that any information they disclose may be used and disclosed for government purposes without their permission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Not Applicable. Traction is not subject to the notice and consent provisions of the Privacy Act.  However, as part of Traction training, personnel are advised against disclosing PII when using Traction and informed of the Agency-wide accessibility of information they provide. All employees and contractors are also explicitly notified via pop-up window text at network login that their use of the network and FDA systems is not private, and that any information they disclose may be used and disclosed for government purposes without their permission.  Traction is not publicly accessible.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within Traction is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within Traction.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/10/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN CFSAN Adverse Event Reporting System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  10/10/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-4100-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Yes. A System of Records Notice (SORN) is currently in development with system number to be assigned.
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Adverse Event Reporting System (CAERS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cory Milam
10. Provide an overview of the system:  The Food and Drug Administration (FDA) Center for Food Safety and Applied Nutrition (CFSAN) regulates and oversees the safety of the nations food and cosmetic products and is responsible for assuring a safe and wholesome food supply and safe cosmetics for the citizens of the United States.  Part of CFSAN’s mission is to collect and monitor adverse events resulting from the use of food or cosmetic products regulated by the FDA.  Such monitoring is considered post-market surveillance (PMS), and involves the careful assessment of adverse events that appear associated with a substance and/or product.  CFSAN relies on submission of voluntary reports by consumers, health professionals, and other interested parties about all its products.  In addition, dietary supplement manufacturers, packers or distributors are required by a law implemented in 2007 to submit to CFSAN serious adverse events that are reported to them about their dietary supplement products.

Through three central components (data entry and document scanning, incident review and alerting, and reporting and analysis) CAERS_TMS facilitates safety review and medical evaluation of the thousands of adverse events reported to FDA.  CAERS_TMS provides for trend and other analyses across the database and promotes safer practices by producers and consumers of foods, cosmetics, infant formulas and dietary supplements through more timely and efficient detection, tracking, evaluation, communication, and prevention of adverse events.  CAERS_TMS also identifies potential problematic ingredients for later study.
The effective management of adverse event data that is related to CFSAN regulated products is essential to the mission of CFSAN.  CAERS_TMS provides a comprehensive, consolidated system for managing the electronic files and data associated with the CFSANs adverse event review process.  The CFSAN Intranet-based CAERS_TMS program enables the efficient receipt, viewing, and archiving of adverse event data and source documents, allowing access to information from staff desktops, automating analytical and administrative processes, while integrating appropriate information from other FDA systems.

The Thesaurus Management System (TMS) is an adjunct to CAERS_TMS and is within the Accreditation Boundary.  The TMS interface allows the CAERS_TMS system to code terms according to standard dictionaries loaded into TMS.  Currently, TMS has three dictionaries to code symptoms and ingredients (MedDRA, a dictionary of symptoms; Herbs of Commerce “HOC” a dictionary of botanical and dietary supplement ingredients; Personal Care Products Council (PCPC) a dictionary of cosmetic ingredients).  TMS is an Oracle product that allows the storage of term dictionaries and has the functionality to code verbatim terms to a standard term from a given dictionary.  The CAERS_TMS system sends terms to TMS via Oracle stored packages and procedures.  TMS receives the terms and tries to auto-code them.  Once coded, TMS returns the coded terms back to CAERS_TMS.  If terms are not coded automatically, users need to login to the TMS system to manually code the terms.  Once the terms are coded, CAERS_TMS receives the manually coded terms.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Internal FDA systems
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The mission of the U.S. Food and Drug Administration’s (FDA) Center for Food Safety and Applied Nutrition (CFSAN) is to assure the safety and wholesomeness of the nation's dairy products, plant foods, beverages, seafood, dietary supplements, cosmetic products, infant formula, medical foods, food and color additives, and all ingredients that come into contact with foods (CFSAN regulated Products). Among CFSAN's priority activities supporting this mission is performing post-market surveillance including but not limited to collecting, monitoring, and analyzing adverse event reports and product complaints, which are alleged to be related to CFSAN regulated products. Virtually all of reports of the adverse events and product complaints are voluntary submissions from consumers, health professionals, and other interested parties. The very rare exception to voluntary submission is the mandatory reporting required for firms that manufacture infant formula when a death of an infant has been associated with their product. Reports are captured and processed and enter the CFSAN Adverse Event Reporting System (CAERS) through several routes (FDA's Field Accomplishments and Compliance Tracking System (FACTS), FDA's MedWatch Program, and direct mail, e-mail, or phone messages to CAERS). Voluntary IIF information may be included in the system.  However, records are not retrievable by a typical IIF; instead, an agency-assigned CAERS case number is given to the case when information is entered into CAERS. The CAERS data is used as a basis for enforcement and regulatory action on CFSAN regulated firms and products to help perform the mission described above.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Controls and safeguards are in development in tandem with the System of Records Notice.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/3/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN CFSAN Automated Research Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/7/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0202-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Automated Research Tracking System (CARTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Simmy Yau
10. Provide an overview of the system:  CARTS enables the Center for Food Safety and Applied Nutrition (CFSAN) to manage its research efforts more economically, effectively, and transparently; and it now serves as the Center's principal research program coordination and communications tool through which we assess and report on the current status of our research portfolio, provide information on resource utilization, and help to ensure research program accountability.  CARTS greatly facilitates the Center’s ability to communicate information about all of our research activities with stakeholders both inside and outside the Agency.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  CARTS records all information on research conducted within CFSAN and in collaboration with external organizations.  The information is gathered from scientists and managers and includes the nature and scope of the research itself, administrative and organizational information, and the names of individual scientists.

The PII collected in CARTS is limited to the name and affiliation of the collaborating scientists. Submission of this information is not statutorily mandated, but is operationally required in order to efficiently track and coordinate collaborative research programs in support of FDA’s overall mission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  CARTS is not subject to the Privacy Act and there is no existing formal notification process. If FDA's privacy practices change or FDA changes its collection, use, or sharing of PII data in the system, the individuals whose PII is in the system will be notified in the most efficient and effective form available and appropriate to the specific change(s). This may include establishing a formal process involving written and/or electronic notice.  Alternatively, notification will be made by informal processes such as email directly to the individuals effected.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Access to CARTS is restricted to authorized FDA users with accounts in CARTS and/or Business Objects who can only access CARTS information via the FDA intranet.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  12/9/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Color Certification [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/19/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0505-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  OMB 0910-0216
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Colors Certification System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Adam Rixey
10. Provide an overview of the system:  The Colors Certification System supports batch certification of color additives in accordance with CFR Title 21, Parts 70, 74, 80, and 82.  Colors Certification data is exported to the CFSAN web servers so that twenty-one industrial users may view data on their own certification requests (the remaining eleven requestors certify only one or two samples per year and have not chosen to participate in the online system at this time).  Requestors for color certification will have access only to their own data on a separate public web site.  All other data is restricted to the Office of Cosmetics and Colors.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects manufacturer and color additive information necessary to ensure the name and location of the color manufacturer, where the color additive is being stored, and how the color was made.  Because no personally identifiable information (PII) is required, solicited or collected the question of whether the submission of PII is mandatory or voluntary does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  If the FDA’s use of the system changes to include collection of PII, the Agency will employ measures to provide the required notice and obtain consent from individuals. This may include email to individuals, adding notice language to paper forms, updating online notices and disclaimers, and/or using other available technological tools.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  4/20/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN FDA Unified Registration and Listing System - Low Acid Canned Foods [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  5/15/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0505-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  0910-0037
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Low Acid Canned Foods (LACF)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cory Milam
10. Provide an overview of the system:  The Low Acid Canned Foods (LACF) system gives low acid canned food processors the ability to register data with FDA in accordance with the Code of Federal Regulations (CFR) Title 21, Parts 108.25, 108.35, 113, and 114.  LACF functionality will be absorbed into the FDA Uniform Registration and Listing System (FURLS) in December 2012.  This work will be broken into two phases. In Phase I, only CFSAN and FDA Field personnel involved in enforcement activities have access to the software and data.  The Phase II implementation will provide Domestic industry the ability to submit products’ processes as well as monitor all submissions.  When full implementation takes place, all foreign and domestic LACF processing facilities will have the ability to engage in online access and monitoring of a facility’s products’ processes as reported to and reviewed by FDA.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  In accordance with CFR Title 21, Parts 108.25, 108.35, 113, and 114, the LACF system collects data regarding food processing plants, the type of food processed, processing methods used, container types, sterilizing systems employed by a facility.  The system also collects personally identifiable information (PII) contact information consisting of name, work phone number, work e-mail address, work fax number and work mailing address for external (regulated industry) users and FDA internal users.  In addition it collects title, nickname, organizational information, and person ID (generated by a separate system) for FDA internal users.  Submission of PII is mandatory.

The information collected in LACF is reviewed by technical staff to provide proof that the LACF-related product is commercially sterile to prevent a potential health hazard.  The CFSAN and FDA staff use this data to enforce relevant regulations (CFR Title 21, part 108).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Internal users (FDA employees and contractors) are notified at the time of hire, and as a condition of employment must consent to the government’s use of their information in relation to their work with a federal agency. External users (LACF processing industry submitters) receive notice via the context of the form submitted, within the system login screen, the related Frequently Asked Questions (FAQ) pages and the FDA privacy policies available via link provided on all of the FDA.gov pages including the system login page.  The submission forms, system login page, account creation guide and other locations on FDA.gov also provide notice and give users FDA help desk contact information.

If FDA changes its practices with regard to the collection or handling of PII related to the LACF system, the Agency will employ measures to provide any required notice and obtain consent from individuals regarding the collection and/or use of PII. This may include email to individuals, adding or updating online notices, or using other available means.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information contained in LACF is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are periodically reviewed to ensure they are implemented correctly, operating as intended, and protecting information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Food Applications Regulatory Management [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  5/17/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-4050-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Food Applications Regulatory Management (FARM)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ziyad, JoAnn
10. Provide an overview of the system:  The FARM system is an end-to-end electronic information management system that manages and validates the receipt, processing, storage, routing, tracking, and reporting of food ingredient information collected from the food industry.  It manages information regarding food ingredients that are added to or will come in contact with food for human consumption and ingredients that are consumed as dietary supplements.  The information that industry submits to the agency contains chemistry, toxicology, environmental, nutritional, microbiological, and other relevant safety-related data.  Information collected by the FARM system consists of data required to perform the safety review of food ingredients under the Federal Food Drug and Cosmetic Act,  the Dietary Supplement and Health Education Act (DSHEA), the Food Allergen Labeling and Consumer Protection Act of 2004 (FALCPA), and related FDA regulations set out in the Code of Federal Regulations at 21 CFR 71 and 170-190.  These legal authorities describe the data required from industry for the Food and Color Additive Petitions, Food Contact Notifications (FCN), Generally Recognized as Safe Notices (GRN), New Protein Consultations, Bioengineered Foods Consultations (BNF) for the Office of Food Additive Safety, New Dietary Ingredient 75 Day Notices, and 30 Day Structure Function Label Notices for the Office of Nutrition, Labeling and Dietary Supplements.  All petitions, notices, and notifications must contain appropriate and sufficient scientific data and information to support the safety review process.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The FARM system contains information submitted by the food industry on ingredients that are added to or will come in contact with food. All petitions, notices, and notifications must contain appropriate and sufficient scientific data and information to support the safety review process.   

The FARM system contains a minimal amount of PII which is required in order to contact industry business personnel. The names and business phone numbers collected are not used to retrieve information from the FARM system. The agency collects only the information provided for under the Federal Food, Drug and Cosmetic Act (FFDCA) and corresponding regulations (21 CFR 71-199), the Dietary Supplement and Health Education Act (DSHEA), and the Food Allergen Labeling and Consumer Protection Act of 2004 (FALCPA).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/17/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Interstate Milk Shipper [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Interstate Milk Shippers
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Kevin Smith
10. Provide an overview of the system:  The Interstate Milk Shippers system is an online web-based system which allows electronic submission of Interstate Milk Shipper (IMS) forms directly through the Internet. The system enables State Rating Officers (or Consultant in the case of foreign single-service sources) and FDA Regional Milk Specialists to process and submit the Interstate Milk Shippers Report (form 2359i), the Interstate Milk Shipper Check Rating Report (form 2359h), and the Single Service Certification forms (form 2359d). The 2359i forms are submitted electronically to the FDA Regional Milk Specialist, who reviews the forms and submits them to the CFSAN IMS administrator for review and approval, followed by immediate publication on the IMS list through the Internet. State Milk Shippers Rating Officers no longer need to submit the paper form to the FDA but still have the option for paper submission. Only required personnel and officials are granted access to the application.  Such access is controlled and reviewed regularly by IMS administrators.  The scope of user access is restricted by the roles assigned to each user.  Not all IMS documents are accessible to users.  The roles define which document or sections of the document they can read or modify.  Such restriction is important to maintain the accuracy and reliability of the data.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  State Regulatory Agencies, in cooperation with the National Conference on Interstate Milk Shipments (NCIMS), require mandatory reporting of names of interstate milk shippers and their ratings.  Reported data includes the extent of the national testing activities, the analytical methods used, the nature and extent of the animal drug residues identified, and the amount of contaminated milk that was removed from the human food supply. The system encompasses all milk, including “Grade A” and “non-Grade A”, commonly known as manufacturing grade milk. “Grade A” milk represents approximately 95% of the milk supply in the United States and is regulated by State Regulatory Agencies in collaboration with the NCIMS. 

As part of the regulatory process, State Rating Officers and Laboratory Evaluation Officers conduct regular ratings of interstate milk shippers, single service container fabricators, and milk laboratory evaluations, and submit the appropriate reporting forms to the Dairy and Egg Safety Branch of FDA’s Center for Food Safety and Applied Nutrition (CFSAN).  Up-to-date firm data and rating information for milk shippers, laboratories, and manufacturers of single service milk containers is thereby maintained in the IMS List.  

PII in this system is limited to the names and titles of the container fabrication plant authorizing officer (form 2359d), the name and email address for FDA employees, and, the name, work title, work email address and work phone number for State officials that are included as standard elements of the report forms (2359h, 2359i) submitted in the evaluation and approval process. Submission of this information is not mandated by statute but for operational and administrative purposes it is a required element of the report forms.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is not a notice and consent process associated with the IMS system.  FDA personnel receive notice of the Agency’s use of their information in relation to their work as an FDA employee at the time of hire.  State officials and container fabrication plant officers are aware of the intended use of their PII (name) due to the context and content of the FDA forms used for data submission.  They may also view FDA’s website and privacy policies permanently available via link on every FDA.gov page.

Should FDA’s use of PII in the system change, the Agency will employ measures to provide any required notice and obtain consent from individuals regarding the collection of PII. This may include email to individuals, adding or updating forms and/or online notices.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Priority-Based Assessment of Food Additives [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0505-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Priority-Based Assessment of Food Additives (PAFA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Mary LaVecchia
10. Provide an overview of the system:  The Priority-Based Assessment of Food Additives (PAFA) gathers administrative, chemical, and toxicological information on over 3000 substances directly added to foods.  In addition, limited information is collected on approximately 3500 food additives that may migrate from one food to another through packaging or the like.  This information is used as background material for regulatory review, research projects, and serves to answer Freedom of Information Act requests in an efficient manner.  PAFA provides foundational data for the scientific and information technology tools used for conducting preliminary Structure Activity Relationship (SAR) analysis of new substances submitted to the Agency for approval.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The PAFA system is used to maintain administrative, chemical, and toxicological information on over 2000 of approximately 3000 substances directly added to food. This includes substances regulated by the FDA as direct additives, "secondary" direct additives, color additives, and Generally Recognized As Safe (GRAS) and prior-sanctioned substances so that toxicological profiles can be produced for the ingredients added to the food supply.  It is a source of information for post-market surveillance of food additives.
Because the system does not collect, maintain or disseminate personally identifiable information the question of whether PII submission is mandatory or voluntary does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The system does contain or share PII. If the FDA’s use of the system changes to include collection of PII, the Agency will employ measures to provide notice and obtain consent from individuals. This may include email to individuals, adding notice language to paper forms, updating online notices and other available technological tools.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  4/23/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Resource Reporting System Via Project [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0202-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Resource Reporting System Via Project (RSVP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Charles Sabatos
10. Provide an overview of the system:  RSVP is a user-friendly time reporting system that provides data concerning personnel resources planned and expended to support the business processes of the Center for Food Safety and Applied Nutrition (CFSAN) offices and divisions. The application supports over 1200 users and is accessed only through the CFSAN Intranet.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The RSVP system contains time and project resource data for purposes of business planning and resource allocation within CFSAN.  The personally identifiable information (PII) handled in the system consists of FDA employee name, office contact information, and hours worked or on leave.  Submission of this PII is mandatory.  Employee (user) access is restricted to the employee’s own pay period totals in order to allocate hours to specific projects.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  At the time of hire, CFSAN personnel are given notice of and consent to FDA’s use of their professional information in relation to their work as a federal/FDA employee.  Employees can update and correct their information at any time.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information in the RSVP system is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Seafood HACCP [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  9/12/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Seafood Hazard Analysis and Critical Control Point
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  William R. Jones
10. Provide an overview of the system:  Commercial seafood processors develop their plans of food safety controls to identify and prevent potential health hazards with their products. These controls comprise the processing firm’s hazard analysis and critical control point (HACCP) program. CFSAN’s Seafood HACCP application provides the means both to capture the controls and to evaluate each processing firm’s performance with respect to its HACCP program. FDA field inspectors enter data directly into the Seafood HACCP application through the CFSAN Intranet. Then CFSAN’s Office of Food Safety (OFS) evaluates each processing firm’s performance in complying with its controls and generates a series of summarized reports. This evaluation process enables OFS management to evaluate the performance of processing firms as well as determine industry trends with respect to compliance and regulatory activities. The Seafood HACCP application also allows OFS to meet the Center’s post-market, scientific, and business process goals in the area of seafood safety. HACCP plans are generally protected, and withheld from release subject to FOIA exemption (b)(4). The Seafood HACCP database is accessed through the Intranet. The database and server are protected by logical controls.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system captures firm data regarding seafood processors and their HACCP programs. This information enables FDA to evaluate each processing firm’s performance in complying with its HACCP program.

The Agency performs HACCP compliance inspections of domestic and foreign fish and fishery products processing facilities. These inspections ensure that these processors implement a system of preventive controls, in addition to ensuring compliance with more traditional regulatory requirements, such as the Current Good Manufacturing Practice Regulation.  The HACCP system tracks the implementation of HACCP plans and sanitation controls needed as part of the inspection of the processor's entire HACCP system.

PII in this system is limited to the names of FDA and State inspectors that are included as standard elements of the report forms submitted in the evaluation and approval process. Submission of the inspector names is not mandated by statute but is required in order to administer inspections.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/12/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Shellfish Shippers [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  5/18/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  0910-0021
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Shellfish Shippers
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Kevin Smith
10. Provide an overview of the system:  FDA and State regulatory agencies, foreign nations, and the molluscan shellfish industry participate in the National Shellfish Sanitation Program (NSSP).  Each participant identifies its certified shellfish processors to FDA on Form FDA 3038, the Interstate Shellfish Dealer's Certificate. FDA uses this information to compile the Interstate Certified Shellfish Shippers List, (ICSSL) a monthly publication that lists certified shellfish processors. This list is used to identify and exclude shellfish processed by uncertified processors.

FDA’s Shellfish Shippers System has an online electronic data submission component that enables the State Control Authority (SCA), Shellfish Shipper inspectors and administrators to securely submit FDA form 3038 directly via the Internet. Submitters also have the option to provide a hard copy form 3038 to the FDA.  

FDA maintains the form 3038 Certificate information in a centralized CFSAN (Center for Food Safety and Applied Nutrition) database. After the CFSAN Shellfish Shippers Administrator reviews and approves the submitted Certificate data, the Certificate information is entered into the system database and the certification information is made available to the public on the ICSSL. 

The ICSSL displays: certified shellfish business name, city/town, state/country, and business’s shellfish function (e.g., reshipper, shucker-packer); a list of FDA regional offices with contact names, office address, office phone and fax numbers, office email; and, State and country shellfish regulatory official contact information including the name of the official, title, office address, office phone and fax number, and office email address.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII (contact information) from the system is displayed as part of the Interstate Certified Shellfish Shippers List (ICSSL) provided on FDA.gov. The ICSSL is a monthly publication compiled and published for public health purposes.  The ICSSL identifies certified shellfish processors to enable the FDA, the public and industry to identify and exclude or avoid shellfish processed by uncertified processors.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects shellfish industry firm data and certification information as part of FDA Form 3038 submitted by the firms, and administrative information gathered for FDA, State and country officials. This information includes the name and business contact information for FDA regional officials, State and country officials, and the certified shellfish entity, along with the inspection date, certificate number and date of certification, and the date of submission to FDA.  This information is used by food control officials, seafood industry and other interested persons and is published monthly in the ICSSL, a primary tool for authorities to differentiate between certified and uncertified shellfish processors.  Submission of the personal information collected in the system is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no notice and consent process specific to the IMS system.  As a condition of employment, FDA employees consent to the FDA’s use of their professional contact information in association with their work for the Agency. External submitters of information are aware of the intended use of their PII (name) by virtue of the context and content of the FDA form used for data submission.  They may also view FDA’s website and privacy policies permanently available via link on FDA.gov and the specific submission website.

Should FDA’s use of PII in the system change, the Agency will employ measures to provide any required notice and obtain consent from individuals regarding the collection of PII. This may include email to individuals, and adding or updating forms and/or online notices.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Small Business Nutrition Labeling Exemption [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  0910-0381
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Small Business Nutrition Labeling Exemption (SBNLE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Rene Miguel Amaguana
10. Provide an overview of the system:  The Federal Food, Drug, and Cosmetic Act requires packaged foods and dietary supplements to bear nutrition labeling unless they qualify for an exemption.  A small business the produces a low-volume product may submit a Small Business Nutrition Labeling Exemption (SBNLE) Notice form stating it qualifies for an exemption from FDA's nutrition labeling requirements. The exemption applies if the business employs fewer than 100 full-time equivalent employees and fewer than 100,000 units of that product are sold in the United States in a 12 month period.  The exemption is not available for products with regard to which a health or nutrition claim is made.
The SBNLE system facilitates this process; it enables FDA to centrally gather information related to companies seeking an exemption.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The SBNLE system contains information submitted by businesses seeking an exemption. To receive an exemption, businesses must submit a form requiring the firm type, name, mailing address, phone number, email address, time period for the exemption, number of employees, volume of product sold, and the name, title, and work phone number for the firm contact person.  SBNLE also retrieves information from other FDA systems.  It retrieves information from the Field Accomplishments and Compliance Tracking System (FACTS) database to automatically determine a company type (such as manufacturer or importer) based upon their Federal Employer Identification (FEI) number. SBNLE retrieves FDA employee data from the Enterprise Administrative Support Environment (EASE) system to automatically and securely log on authorized users.  The only personally identifiable information (PII) collected via the SBNLE system is contact and authorization information for FDA employees involved in the exemption process and contact information for the small business employees involved in requesting an exemption.  Submission of this information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is not a notice and consent process specific to the SBNLE system. At the time of hire, FDA personnel are given notice of and consent to FDA’s use of their professional information in relation to their work as a federal/FDA employee.  They can update and correct the information at any time through existing procedures.  Small business/firm points of contact self submit PII (work contact information) for use in communicating with FDA regarding the labeling exemption and can view additional information on FDA’s privacy policies permanently displayed on FDA.gov.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CFSAN Voluntary Cosmetics Registration Program [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  4/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0505-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  OMB 0910-0027 (Exp. 04/30/2014)
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CFSAN Voluntary Cosmetics Registration System (VCRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Shontell Wright
10. Provide an overview of the system:  The Voluntary Cosmetics Registration Program (VCRP) is a web-based system allowing the cosmetics industry to obtain a registration number for manufacturing establishments and a filing number for cosmetic product formulations by electronically requesting it, i.e., completing Form 2511 or 2512 over the Internet.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Voluntary Cosmetics Registration Program is a web-based system allowing the cosmetics industry to obtain a registration number for manufacturing establishments and a filing number for cosmetic product formulations by electronically requesting it using their web browser. Once an online account is opened, they are able to submit manufacturing establishment and product and ingredient information using web-based Forms FDA 2511 and 2512.

The program is voluntary.  Companies are requested to provide the physical location of their manufacturing establishments so they may be inspected. Participants are also requested to provide information on their cosmetic product formulations, which aids the Agency in determining what ingredients are being used in cosmetic products and what preservative systems are being used to protect the integrity of the product.  The PII collected in the system is limited to professional contact information (such as the name, job title and work phone number) for the individual authorized to submit materials for a participating company.  Participation in the program and submission of the contact information PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is not a notice and consent process specific to this system. All VCRP information is voluntarily submitted as indicated on Forms 2511 and 2512.  Individuals/companies may opt not to participate.  Submitted forms are provided online via FDA.gov where individuals may view the Agency’s website and privacy policies.  If the FDA’s use of PII in the system changes, the Agency will provide any required notice and obtain consent from individuals regarding the collection of PII. This may include email to individuals, adding notice language to forms, and adding or updating online notices.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information contained in VCRP is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CTP Electronic Submissions [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Internal Flow or Collection 
1. Date of this Submission:  3/26/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  OMB No. 0910-0650; 0910-0654
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CTP Electronic Submissions
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  David Curtis
10. Provide an overview of the system:  In accordance with the provisions of the Tobacco Act, specifically sections 905, 904(a)(1) and 904(a)(4), the Industry (tobacco manufacturers) submits registration and product listing, ingredient listing and health documents data. This registration and product information may be submitted via the eSubmitter application, through the FDA Electronic Submissions Gateway (ESG), physically on CD, or on paper. Aspects of the eSubmitter system will streamline the submissions process and equip the Center for Tobacco Products (CTP) to manage and regulate the tobacco industry by providing a means to: load/record submissions received via the ESG, on CD and paper; track and review all submissions received; and store the submissions and all documents associated with the submission.

In addition to submissions received from Tobacco Industry, the general public can submit Tobacco adverse event reports, such as a report of an adverse reaction to a tobacco product.  Public submissions are also received and processed by the eSubmissions systems.  They are created by the public using the Safety Reporting Portal (SRP) and are submitted via the FDA Electronic Submissions Gateway (ESG).  Like industry submissions, adverse event submissions will be stored along with all attachments included in the submission and will be made available to assigned FDA/CTP personnel.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects two sets of information. The first is information from members of the tobacco industry regarding tobacco registration, tobacco products, their ingredients and where they are made. This information is used to make scientific and regulatory decisions regarding these products and the tobacco industry. In this data set, collected PII is optional and limited to work contact information for industry personnel associated with submissions to FDA.

The second category of information is adverse event information voluntarily submitted by the public. Within FDA, personnel in the Office of Science and the Office of Compliance and Enforcement are granted access to all adverse events data for review of these submissions.  In some cases, the public may submit PII consisting of an individual’s personal and contact information.  Submission of this PII is not mandatory. Adverse event reports and related information submitted by members of the public is submitted voluntarily.  This PII data will not be regularly reviewed except in some rare circumstances where follow-up with the submitter is required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  A Notice of Privacy Practices (NPP) will be posted on the data gathering system, the Safety Reporting Portal (SRP), and submitters will be required to agree to the terms and conditions of the NPP before submitting data into SRP.  Individuals or entities (such as physicians or hospitals) that collect PII from third parties (such as patients) and submit information via the SRP, will be required to attest that they have obtained the appropriate consent (where applicable) and have notified the individual that their personal and/or medical information will be entered into SRP.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  4/2/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CTP Menthol Document Analysis Tool [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  1/4/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Menthol Document Analysis Tool
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Deborah Sholtes
10. Provide an overview of the system:  This tool is a document management, search, retrieval, cataloging, indexing, and analysis tool for menthol tobacco documents submitted by the tobacco industry.  The contractor will use a file server, a database, a search engine, and a web interface as an integrated tool within an enhanced security intranet environment.  The tool will fulfill the need to code and abstract 400 GB of documents on menthol cigarettes provided by the tobacco industry. The tool will allow CTP Office of Science and the Tobacco Products Scientific Advisory Committee (TPSAC) to meet it’s obligation under Section 907 (e) of the Family Smoking Prevention and Tobacco Control Act to provide recommendations on menthol cigarettes no later than March 23, 2011.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This tool is a document management, search, retrieval, cataloging, indexing, and analysis tool for menthol tobacco documents submitted by the tobacco industry.  These documents include information on tobacco firm processes for manufacturing, marketing, and researching mentholated tobacco products.  The tool will fulfill the need to code and abstract 400 GB of documents on menthol cigarettes provided by the tobacco industry. The tool will allow CTP Office of Science and the Tobacco Products Scientific Advisory Committee (TPSAC) to meet it’s obligation under Section 907 (e) of the Family Smoking Prevention and Tobacco Control Act to provide recommendations on menthol cigarettes no later than March 23, 2011.

The information contained in the system is not related to individuals.  There is no personally identifiable information collected, maintained or disseminated by this system.  The information within the system is limited to tobacco products and tobacco firm processes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Deborah Sholtes
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  1/4/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CTP Tobacco Inspection Management System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/10/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  Not Applicable
6. Other Identifying Number(s):  Not Applicable
7. System Name (Align with system Item name):  FDA CTP Tobacco Inspection Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Sophia Donaldson
10. Provide an overview of the system:  The Tobacco Inspection Management System (TIMS) is designed to support the business processes of the Food and Drug Administration (FDA) Center for Tobacco Products (CTP) related to the collection and organization of tobacco inspection data from retail locations.  This data will be collected by state officials conducting retailer inspections under agreement with FDA.  The inspectors will utilize a mobile device application and/or paper process, and will be transmitted to a database housed on the FDA extranet.  User Management, assignment management, retail establishment management, and data validation tasks shall be conducted from a front-end web application through the FDA extranet.

The TIMS system is composed of four primary components: the front-end (user) web interface for accessing and managing FDA tobacco inspection assignment information and related processes, a mobile device application for conducting field inspections, Casper Mobile Device Management (MDM) to manage/update the iPhone Operating System (iOS) as well as mobile devices, and, a central database for storing the tobacco inspection assignment data.

Additionally, CTP has implemented a Training Module for TIMS.  The components of the TIMS Training Module are exact copies of the TIMS application and database (with no data) that users will connect to in order to learn how to use the system.  Users connect to the Training Module in the same way as they connect to the TIMS application--with a web browser and/or TIMS configured iPhones.  The TIMS Training Module application components are hosted on the same application servers as TIMS Production.

The TIMS Casper Mobile Device Management System (TIMS CASPER MDM) will support the management of mobile devices used to collect and organize CTP related tobacco inspection data from retail locations. The TIMS Casper MDM communicates with the mobile devices via the FDA extranet and provides the ability to remotely manage Configuration Profiles, gather a full inventory including installed apps, distribute applications and settings based on smart groups, and generate auditing reports.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  FDA will use the Tobacco Information Management System (TIMS) to collect information related to inspections of businesses engaged in the sale of tobacco products and inspections of tobacco advertising and labeling.  The purpose of the system is to facilitate the administration of inspections (e.g., track inspection work flow, distribution and completion), and to maintain information for potential use as evidence of violations.

The collected information will include the legal or trade name of the business, the business address, and the name and address of the owner.  It will also include general information regarding the sale of tobacco products to minors and the advertising and labeling of tobacco products. As part of the inspection, state inspectors may take photographs of tobacco products, advertisements and packaging which will be submitted to TIMS and used as evidence of violations by the business.  TIMS will not contain photographs of people or items that identify individuals.

TIMS will contain limited information about individuals. The system will contain an inspector name and inspector identification number for administrative purposes, but no other information about the inspector.  In the event of a sale of tobacco to a minor, the name of the store clerk may be included as part of inspection information included in TIMS.  TIMS will not contain any other information about a clerk.

Submission of the PII processed in TIMS is not mandated by statute or regulation but is required for operational and administrative purposes.

Within FDA, the TIMS application will have an internal-facing component in which FDA employees will review submitted inspection data and determine whether legal action is warranted against any offending business.

The Mobile Device Management (MDM) element of TIMS will not collect or contain PII.  MDM will collect only technical data related to each FDA-issued mobile device including an inventory of applications on a device, and security and configuration settings installed on the device.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Users voluntarily provide their name and/or inspector ID for the self-evident purpose of performing their duties.  TIMS users are advised at the login screen that they are accessing a U.S. Government information system, their system usage may be monitored, recorded, and subject to audit, unauthorized use of the system is prohibited and subject to criminal and civil penalties, and that use of the system indicates consent to monitoring and recording.

If FDA's privacy practices change or FDA changes its collection, use, or sharing of PII data in the system, the individuals whose PII is in the system will be notified in the most efficient and effective form available and appropriate to the specific change(s). This may include establishing a formal process involving written and/or electronic notice.  Alternatively, notification will be made by informal processes such as email notice to the individuals effected.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/22/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CVM Animal Drugs @ FDA (ADAFDA Greenbook) [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/22/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  CVM Animal Drugs @ FDA (ADAFDA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Margaret Zabriski
10. Provide an overview of the system:  The Food and Drug Administration’s (FDA) Center for Veterinary Medicine (CVM) administers the Animal Drugs @ FDA (ADAFDA) system. ADAFDA is FDA’s internal administrative portal for entering and maintaining information about approved animal drugs, for monthly updates to the FDA publicly accessible website, also called Animal Drugs @ FDA.  The system enables FDA to meet its statutory obligation to provide the public with animal drug information such as drug application number, the entity sponsoring the application, drug ingredients, species for which the drug is approved, drug indications, dosage information and other similar data.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects information on animal drugs such as the proprietary name of the drug, the drug application sponsor, patent number and expiration date, drug ingredients, dosage information, drug indications and limitations, and conditions of use.  By employing this system to centrally collect this information, FDA is able to make it available to the public in accordance with the Federal Food, Drug, and Cosmetic Act.  The system does not solicit, collect, maintain or disseminate PII, and for this reason the question of whether submission of personal information is voluntary or mandatory does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Because the system does not collect PII, this question is not applicable.  If FDA’s use of the ADAFDA system changes with regard to PII, the Agency will employ efficient measures to provide any required notice and obtain consent from individuals regarding the collection of PII.  This may include email to the effected individuals, online notices and disclaimers, clickable affirmative consent buttons, or other available technological means for notification and consent.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Dr. Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  1/25/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA CVM Corporate Database Portal [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/26/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-09-02-­4070-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  0910-0032
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA CVM Corporate Database Portal (CDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Margaret Zabriski
10. Provide an overview of the system:  {tc "3.1 System Purpose"} The Corporate Database Portal (CDP) is the Center for Veterinary Medicine’s (CVM’s) main transactional database that supports various data applications for CVM divisions such as CVM’s Office of New Animal Drug Evaluation (ONADE), Office of Surveillance and Compliance (OS&C), Office of Research (OR) and Office of Management (OM). It is comprised of four application systems: CDP, CDP-Web, the Fiscal Accounting System (FAS) and the Compliance Log system (LOG).
CDP is the entry portal for eight modules for data entry, data storage, data tracking and reporting throughout CVM:
Submission Tracking and Reporting System (STARS)
Drug Experience Reporting System (DERS)
Drug Product Listing (DPL)
Bioresearch Information Monitoring (BIMO)
Minor Use/Minor Species (MUMS) Index File System (MIFS)
Activity Time reporting (ATR)
Compliance Document Logging Module (CDLM)
National Anti-microbial Resistance Monitoring System - Retail Meat (NARMS RM).

These CDP modules support the pre-market, post-market safety, product quality, administrative, food safety, drug indexing, bioresearch monitoring, and compliance business processes. They enable FDA to administer and manage the review and processing of data necessary to ensure the quality and safety of animal drugs.  This includes processing animal drug application submissions, maintaining post-market animal drug and feed safety reporting information, and performing internal accounting tasks.
CDP-Web is the Java-based version of the user interface, currently providing access exclusively to STARS.
The Fiscal Accounting System (FAS) is a centralized system used to track expenditures to the team level and to reconcile Office of Financial Management (OFM) accounting within FDA. FAS provides the management officers with the ability to track calls placed against a VISA (government credit cards) or MOD (contract modifications). The system provides standard reports for each office as well as specialized reports tailored to their specific needs.
The Compliance Log System (LOG) used by the Division of Compliance consists of three modules.
The Correspondence Tracking module tracks correspondence received by the division with regard to animal drugs. It provides various pending, completed and overdue internal reports.
The Regulatory Action module tracks regulatory actions taken against a company or person subject to animal drug regulations. Various types of reports are available for management use.
The Export Certificate Logging module tracks information related to requests for animal drug and animal food/feed export certificates. Information from this module is sent to the Office of Financial Management (OFM) for billing purposes.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Corporate Database Portal system (CDP) contains information on:
Pre-market animal drugs and feeds such as research sponsor name (corporate owner), active drug ingredients, indications for use, and relevant species;
Post-market safety of animal drugs and feeds (such as adverse drug events and drug experience reports);
Animal drug products and related establishments;
Activity time reporting;
Animal drug research monitoring (clinical investigators, contract research labs, manufacturing sites);
Correspondence contacts;
Export certificates;
Regulatory actions; and
Similar FDA programs administered by the Center for Veterinary Medicine (CVM).

The system components collect this information to track the drug approval process and other administrative functions performed by CVM in accordance with the Federal Food, Drug, and Cosmetic Act (FD&C Act).

The personally identifiable information (PII) in this system consists of name and professional contact information, such as office address and phone number, for clinical investigators, research sponsor personnel serving as the sponsoring entity’s point of contact for interaction with FDA, and CVM personnel who use CDP (for activity time reporting and other administrative purposes). Submission of this information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is not a notice and consent process specific to the CDP system. At the time of hire, CVM personnel are given notice of and consent to FDA’s use of their professional information in relation to their work as a federal/FDA employee.  They can update and correct the information at any time through existing procedures.  Clinical investigators, veterinarians, animal owners and other external submitters receive notice as displayed on the submission forms, on fda.gov where the various submission processes are described and where a link to the FDA privacy policy is permanently displayed, and, within the relevant statute, regulations and related Federal Register notices.  In addition, certain submission forms provide for submitter confidentiality or allow the submitter to choose whether his/her identity is disclosed to the manufacturer of a drug about which an adverse event or problem report is submitted.

If the FDA’s use of PII in the system changes, the agency will employ measures to efficiently provide any required notice and obtain consent from individuals regarding the collection of PII. This may include email to individuals, adding or updating online notices and disclaimers, or using other available technological means for notification and consent.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Information contained in CDP is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA NCTR Research Support [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  5/4/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-1331-00-110-032
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA NCTR Research Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Edward Bearden
10. Provide an overview of the system:  The Research Support System (RSS) is an IT resource used to collect and store data for toxicology studies. It collects subject and experiment data from the introduction of an animal into the NCTR environment by purchase or birth, through the experiment process, and concludes with the data collected from micro-pathological examination of its tissues.  Gene expression (microarray) data is collected and analyzed in the ArrayTrack application.  NCTR’s mission is to conduct peer-reviewed scientific research that supports and anticipates the FDA's current and future regulatory needs.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The RSS collects data required by toxicology studies.  It collects animal data such as weights, food/water consumption, and clinical observations; it collects data such as compound, treatment group and route of administration; and it collects data about the environment in which the experiment takes place such as cage conditions and placements.  It also collects gross- and micro-pathology data and images as well as gene expression data.  These data contain no PII and are required to conduct peer-reviewed scientific research and for the analyses and scientific papers based on the research.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Fred Sadler
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/2/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Agency Information Management System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  9/26/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-10-01-1010-00-404-142
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-10-0004 (FDA) Communications (Oral & Written) with the Public, 09-90-0058 (HHS) FOI Case Files and Correspondence Control Index, OGE-1 (Office of Government Ethics) Financial Disclosure Reports & Other Ethics Programs, OGE-2 (Office of Government Ethic
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Agency Information Management System (AIMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Rosie Whitcraft
10. Provide an overview of the system:  AIMS provides administrative tracking and electronic storage for several agency functions.  The core data within AIMS is pulled from the agency ASAP and EASE system for staff, contractor, and organizational data required for the applications.  The core also contains any information that is shared by two or more of the AIMS modules.  The modules are Correspondence (both internal generated and received from external sources), Freedom of Information (FOI), Federal Register (FR), Dockets Management, Advisory Committee, Ethics, Passports, Records Case Management, Office Moves, Awards, eArrive, Security and Fellowship Program.  The system also has a records management application for all records tracked in the system.  

The module for Administrative Tracking and Electronic Document Storage of FOI requests, responses, and related correspondence is authorized by the Freedom of Information Act, (FOIA) 5 U.S.C. 552.    The module for Ethics records is authorized by the Ethics in Government Act (PL 95-521) and the Ethics Reform Act of 1989, as amended (PL 101-194).   The Civil Service Act authorizes the module for Security Clearances.  The Federal Advisory Committee Act authorizes the module for Advisory Committee Records.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  AIMS access is restricted. To the extent users across FDA components require read/view access to perform their duties, the specified PII is shared outside the Office of the Commissioner. PII in AIMS is not shared outside HHS/FDA.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  FDA receives approximately 24,000 FOI requests per year.  A tracking system is required to monitor the processing of requests.  In addition the FOIA and the Ethics in Government Act have annual reporting requirements that are based on information collected in the system.  The Passport staff is responsible for obtaining and maintaining the government-issued passports for all FDA personnel. The eArrive and Fellowship applications collect data on new employees and non-employees in order to bring them on-board and provide them both physical and IT access to FDA property.  eArrive supplies data to the Security application.  eArrive, Security and Passport contain PII information.  Both SSN and DOB are mandatory for the processing of passports and obtaining security clearances in FDA.  The information is mandatory if the individual wants to obtain a Government passport and if they want to be able to work at a FDA facility and access the FDA network.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  If a major change or use of data occurs users are notified via email notification or FDA-wide email.  FOIA information is obtained from correspondence submitted by the FOI requesters and individuals that correspond with the agency or comment on a Federal Register notice.  FDA’s Public Information Regulations at 21 CFR Part 20 inform the public of the procedures for submitting FOI requests.  Federal Register notices inform individuals of the procedures for commenting on a notice.  For Passports, eArrive and Security elements, all information is collected on OMB approved forms that contain notification statements informing the individuals of the purpose for collecting the information and the authority for collecting the information.  For Fellowship program participants, information is collected on an online form with a notification statement informing the individuals of the purpose for collecting the information and the authority for collecting the information.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within AIMS is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within AIMS.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Stephen Veneruso
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  10/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC American Recovery & Reinvestment Act-Patient Centered Outcomes Research [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  1/26/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC American Recovery & Reinvestment Act-Patient Centered Outcomes Research
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Lilliam Rosario
10. Provide an overview of the system:  The America Recovery and Reinvestment Act - Patient Centered Outcomes Research system (ARRA-PCOR) is a grouping of Legacy Data Conversion Project (LDCP), Analytical Tools, and the Partnership in Applied Comparative Effectiveness Science (PACES) project.
ARRA-PCOR does not entail the collection of any new information. The mission of the ARRA-PCOR project is to support the conversion of legacy clinical trial data to the Study Data Tabulation Model (SDTM) format for the creation of analysis data sets to enable exploration of Comparative Effectiveness Research questions related to vaccines, drugs, and medical devices.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  FDA does not collect, maintain or disseminate any new information under the ARRA-PCOR project. Rather, the mission of the project is to take existing clinical trial data sets from FDA electronic document rooms and convert the legacy data formats into a standardized study data tabulation model (SDTM) data format.  Once the data is standardized, it can be researched to enable exploration of Comparative Effectiveness Research questions related to vaccines, drugs, and medical devices.  There is no personally identifiable information (PII) in either the legacy data sets or the converted version of the data sets. The data cannot be linked to individuals or combined with other information to identify trial/study subjects, clinical investigators, physicians, researchers, lab analysts or any other individuals. Because the system does not handle or collect PII, the question of whether submission of PII is mandatory or voluntary does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  This system does not contain PII, and is not subject to the notice, consent and other provisions of the Privacy Act of 1974.  If FDA’s practices change to include collection or dissemination of PII via this system, FDA will implement an efficient process to notify the effected individuals, such as by direct or agency-wide email.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system does not handle or collect PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/22/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Appian Business Process Management [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/16/2010
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Appian Business Process Management
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Janie Ma
10. Provide an overview of the system:  The Appian Business Process Management (BPM) suite facilitates the deployment of robust processes, collapsing time to value for process improvement initiatives.  The Appian BPM Suite is a web-based BPM platform, delivering the ease of use, comprehensive features and flexibility required to accelerate process improvement. By simplifying process collaboration between business and IT, Appian empowers business decision makers, while allowing IT to easily extend, integrate and personalize its BPM applications.

Appian BPM provides the following features:
* Collaborative User Portal-- Appian provides process designers with complete control over the creation of interfaces for end-users, delivering personalized content, shared work queues, and aggregated content from related systems.
* Rapid Application Deployment-- Rapid application development is facilitated by Appian's BPMN modeling, collaborative design, repository of re-usable components, and rich UI controls.
* Real-time Process Architecture-- Appian's real-time process architecture delivers streaming data to dashboards and process rules which monitor all aspects of a process, including highly flexible reports, access to all process data, fast rule processing, and high scalability.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Appian BPM--planned to go operational in the migration to the FDA data center in Ashburn, VA--will host several FDA applications.  In this sense, Appian BPM will act as a general support system to the hosted applications and will be considered as a component of the FDA Consolidated Infrastructure.  The hosted applications will be able to inherit certain security controls provided by the Appian BPM platform.  These may include audit records generation, access control, and identification and authentication of application users.

The Appian BPM platform utilizes a built-in Apache HTTP server and JBoss Application Server with Apache Tomcat Servlet Containers.  Information will flow from the end user’s web browser to the Apache HTTP server.  The HTTP server will direct the information flow to the applicable application hosted in the JBoss Application Server container.  Appian BPM also incorporates a built in proprietary database, called the “K Database.”

Appian BPM will host several FDA applications.  These hosted applications will maintain their own information collection and flow based on functional business requirements.  The information collection of the hosted applications is beyond the scope of this security assessment of the Appian BPM.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within Appian BPM is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within Appian BPM.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  8/27/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Clarity [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/8/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA Clarity
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Heidi Snyder
10. Provide an overview of the system:  This project enables FDA to deploy a robust electronic consumer off-the-shelf (COTS) software tool that is capable of tracking, storing and reporting on IT projects, contracts, assets, and other information. Data stored can be managed by defined workflow/processes that provides oversight and approval mechanisms. Data can be mined to provide a variety of reports either pre-defined or customized using a Business Objects application that is bundled with the Clarity product.
Clarity allows FDA: 
·         To effectively collect and manage FDA project information in a central repository using the enterprise portfolio management system, Clarity.
·         To automate and standardize FDA business and IT processes using role-based assignments and stage gate review support.
·         To provide real-time visibility into the status, budget, schedule, dependencies, demand points and other information related to FDA projects.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Clarity captures and stores project, contract and asset management information. This data includes information technology (IT) project status and tracking information, task assignment data, contract item status, project item start/end dates, requisition and invoice data, budget reports, system development data, work planning documents and similar project management and operational information. FDA uses this data internally for the purpose of IT project planning, management and reporting. Clarity does not collect any PII, and therefore the question of whether the submission of personal information is mandatory or voluntary does not apply.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  This question does not apply in this instance because Clarity does not contain PII.  If the system changes and PII is collected as a result, FDA will revise this Assessment and leverage existing technologies (e.g., system user notices, employee email) to implement an efficient process to provide notification and obtain any necessary consent from the effected individuals.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/6/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Consolidated Infrastructure [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  9/7/2010
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-02-01-01-0301-00-404-139
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Consolidated Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Stephen Veneruso
10. Provide an overview of the system:  FDA is moving towards long-term improvements in the structuring of IT services across centers which is aimed at facilitating greater integration in the delivery of programs and realizing significant cost savings.  Efficiencies will be realized by consolidating the technology infrastructure services and in the standardization of how IT service is provided. 

The consolidated infrastructure is described as local area networks, help desk and call center, voice and data services, desktop management and support, database and server management, and Intranet services.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Consolidated Infrastructure (CI) is not designed to collect, maintain, or disseminate information.  The CI is intended to provide a secure and reliable computing environment in which other FDA applications and information systems can be hosted.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/8/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Electronic Submissions Gateway [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  9/7/2010
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-0501-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Electronic Submissions Gateway (ESG)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Michael Fauntleroy
10. Provide an overview of the system:  The purpose of the FDA Electronic Submissions Gateway (FDA ESG) is to provide a centralized, secure, Agency-wide solution for receiving electronic regulatory submissions.  The FDA ESG will also be used to transmit regulatory data and information to other Government Agencies.  The FDA ESG is essentially a component of a communications system, collecting information from multiple sources, then forwarding that information to a file server where the appropriate FDA system can retrieve the information. Information is stored within the FDA ESG on a limited basis in support of integrity and availability procedures.  The FDA ESG owns none of the data that passes through its components. The data are “owned” by the supported applications. Thus, the FDA ESG is providing a supporting service to these applications as opposed to performing an FDA mission-specific function.  The FDA ESG project will help the FDA achieve its legal mandate under the Prescription Drug User Fee Act (PDUFA) for eliminating paper transactions in favor of electronic submissions and processing.  The FDA ESG was a specific goal of PDUFA III.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The FDA ESG collects two sets of data.  The first set of data is collected from external Transaction Partners to create user accounts within the FDA ESG to support the transmission of regulatory documents.  The accounts are owned by a corporate entity.  The corporate entity supplies the name, phone number and email address for a primary and secondary contact person.  This information is used by the FDA ESG when necessary to resolve technical issues.  The second set of data is meta-data about each regulatory submission and includes time of submission, user account, transmission protocol, message id, and file name.  This information is used by the Agency to track the submission and aid in file recovery.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/8/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Emergency Operations Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  10/12/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-08-01-0305-00-104-010
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Emergency Operations Network (EON)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Wayne Gorski
10. Provide an overview of the system:  The Emergency Operations Network (EON) provides an Agency-wide system to fully support the enterprise for the full range of FDA emergencies through the implementation of two robust infrastructures, functional and technological, and through the reengineering of the present emergency system.  The development and incorporation of agency-wide guidance in the EON will ensure that the Agency response is uniform, consistent, and coordinated. 

The authorizing legislation for EON includes the Food Drug & Cosmetic Act 903(b) and 711, the Bioterrorism Act (2002), and Homeland Security Presidential Directives.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  EON handles data regarding emergency incidents including information about the nature of the incident and personally identifiable information (PII) consisting of contact information for FDA personnel. With regard to PII, EON provides FDA contact data extracted from the publicly available DHHS employee directory website.  Submission of this data to EON is not specifically mandated by statue or regulation.  However, it is required for operational purposes in order to effectively administer the system and coordinate emergency response actions.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Notification and consent as to the collection and use of contact information occurs as part of the hiring process for personnel placed in emergency response positions.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within the Emergency Operations Network Incident Management System (EON IMS) is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within EON IMS.  It complies with Federal Information Security Management Act (FISMA) requirements for access controls to safeguard information from unauthorized access.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Stephen Veneruso
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  10/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Enterprise Administrative Support Environment [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/13/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-10-01-1020-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0018
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Enterprise Administrative Support Environment (EASE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Rosie Whitcraft
10. Provide an overview of the system:  EASE is an FDA-wide administrative system that provides essential personnel, organization, and locator information, automates time and attendance, and provides ad hoc reporting through its associated data warehouse.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The Program Support Center (PSC) is provided the Social Security Number (SSN) and system Sequence ID for use with  its Integrated Time and Attendance System (ITAS) single sign-on function.  Location and email information is provided to various FDA Scientific, Regulatory and Administrative systems. The reporting warehouse houses all information and is made available for reporting based on Role access to various information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected in EASE includes PII gathered from personnel in order to securely and effectively administer FDA systems and programs. The submission of this information to HHS is mandatory. FDA personnel data is retrieved from HHS Personnel Files (FDA only) for civilian and Commissioned Corps personnel, for the purpose of providing corporate data to various FDA Systems, and to provide management reports.  Person location data is collected to provide HHS and FDA with location and email directories.  Data regarding non-employee FDA personnel such as contractors is collected to provide a basis for location and security purposes.  The agency maintains only those data elements required for FDA applications.  PSC ITAS employee timecard and leave data (FDA only) is received each pay period, stored in the EASE database and loaded into the RAM data warehouse for reporting purposes.

EASE collects the following PII data for FDA civilian personnel, Commissioned Corps personnel assigned to FDA, and non-employee personnel working at FDA: legal name, date of birth, home address, Social Security Number (SSN), citizenship information, and for non-citizens the Green Card, Passport or Visa number.

PII data for FDA civilian personnel and non-employee personnel working at FDA is collected through an EASE application module, eArrive.  eArrive is the front end data entry application for processing new employees and non-employees into FDA and creates their EASE record.  

EASE receives electronic updates nightly from the HHS Human Resource system (EHRP) with official data on all active FDA civilian personnel.  The primary key between EHRP and EASE is the SSN.  EASE does not send data to EHRP.

EASE receives electronic updates nightly from the Commissioned Corps personnel system.  The primary key is the SSN.  EASE does not send data to the Commissioned Corps system.

EASE exchanges data electronically each night with ITAS (Integrated Time and Attendance System).  ITAS is part of EHRP and is owned by PSC.  The primary key is the SSN.  EASE sends a file of active FDA civilian personnel to ITAS on a nightly basis.  Every two weeks, EASE receives a file relating to payroll from ITAS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  HHS collects the Personnel Data.  The Center Representatives, and the various individuals involved with the specific data collection and use provide notification to the employees and non-employees at the time the data is requested.  Information about the collection of data is provided within the user manuals and in the course of training.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within EASE is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within EASE.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Nipa Shah
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  8/30/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Facility Management System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/10/2009
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-10-02-1040-00-401-119
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Facility Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Don Demers
10. Provide an overview of the system:  Facility Management System is an integrated solution to further provide better services/information to all Centers and ORA on any facility related issue, such as designing, planning, leasing, or operation.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This system will allow the Office of Real Property Services, Office of Shared Services, to maintain a comprehensive database to better serve all Centers/ORA on their needs related to space design, planning, and any alteration projects within the Food and Drug Administration.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  John R. Dyer
Sign-off Date:  8/22/2008
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC FDA Records Management Training [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/31/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0018
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA Web-based Records Management Training Module
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Garland Hodges
10. Provide an overview of the system:  The system provides web-based mandatory training for FDA users (FDA personnel including staff, fellows and contractors) on federal records management related statutes, regulations and FDA policies. Completion of records management training is mandatory for FDA personnel. The system is internal (not publicly accessible), and access is limited to FDA personnel who require access in relation to their work with FDA.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The system shares EASE ID with Training Solutions Plus (TSP), Inc. TSP is contracted to host the FDA Records Management Training Module in accordance with HHS and FDA IT security requirements.  PII data is being shared to support FDA personnel access to the mandatory records management training course.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The FDA Records Management Training Module is an internal system that will collect and maintain one year of records management training history for FDA personnel, such as course completion dates, incompletion status data and issuance of course certificates.

The system will maintain a limited scope of personally identifiable information (PII) pushed from EASE consisting of the name, e-mail addresses, EASE ID, FDA Center name and organization acronym for FDA personnel.  This information is used only for the purpose of notifying personnel to complete mandatory records management training.

Submission of the PII (work contact information) to HHS/FDA is mandatory.  Annual completion of records management training is mandatory for FDA personnel.  The system is accessible only to FDA personnel, and system information is not shared outside FDA/HHS.  The system stores the contact information PII for the purpose of notifying personnel to complete mandatory records management training.  The system does not share this PII outside FDA/HHS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  As a condition of employment, FDA personnel consent to the government’s use of their information in relation to their work with a federal agency.  Information about the collection and use of information is provided in the course of orientation and training. HHS and FDA representatives, and the various individuals involved with the specific personnel data collection and use (such as Human Resources staff) provide notification to the subject personnel at the time the data is requested.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  PII is secured inside of Training Solutions Plus and PowerTrain’s Baltimore DataCenter. The datacenter features guards, key codes, biometrics locks, and a CCTV service. Additionally administrative access to the data center is limited to select PowerTrain personnel. All data is password protected within a MySQL database.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Peraklis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  6/26/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC FDA Unified Registration and Listing System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/10/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-10-01-1030-00-114-043
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  OMB 0910-0502
6. Other Identifying Number(s):  FDA Form Number 3537/3537a
7. System Name (Align with system Item name):  FDA OC Unified Registration and Listing System (FURLS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  William Leung
10. Provide an overview of the system:  The Bioterrorism Preparedness and Response Act of 2002 (the Bioterrorism Act) was designed with the purpose of protecting the United States against acts of bioterrorism.  A significant safety measure that must be taken as a part of this mission applies to the protection of the nation’s food supply against the threat of intentional contamination.  To support this effort, the Bioterrorism Act requires that the Food and Drug Administration (FDA) develop a system for registering food facilities.  To fulfill this requirement, FDA designed a major application, the FDA Unified Registration and Listing System (FURLS).  FURLS is a web-based system that will allow food facilities, or “users,” around the world to register with FDA.  Users can access the FURLS system at any time through the FDA website in order to register with FDA.  The majority of FURLS users are account holders who utilize FURLS to register their food facilities. The remaining users are comprised of FDA personnel who use the FURLS system to access the facilities’ registration information. 

Section 510 of the Food, Drug and Cosmetic (FD&C) Act and 21 CFR part 207, inter alia, requires establishments (e.g., manufacturers, repackers, and relabelers) to register with FDA upon engaging in the manufacture, preparation, propagation, compounding, or processing of FDA regulated products including food, human drugs, veterinary drugs, poultry and biological products, with certain exceptions. 

FURLS users consist of: (1) individuals required by law or authorized by an establishment to initiate and/or maintain a registration with the FDA (general system users/external users), (2) authorized FDA personnel, and (3) authorized FDA contractor personnel who may support system operations after deployment.

FURLS has the following Web-Based modules:

Account Management (OAA)
Implemented in 2003, this subsystem maintains account information used to manage user accounts, control user log-on, and authenticate the account to determine which system modules the account can access.
Food Facility Registration Module (FFRM)
Implemented in 2003, this module is used to register facilities that manufacture, process or hold food that is sold for consumption in the United States. This includes foreign facilities that export food to the US.

Drug Facility Registration Module (DFRM)
Implemented in 2006, this module is used to register facilities that manufacture drugs sold in the US, including foreign facilities.

Devices Registration and Listing Module (DRLM)
Implemented in 2007, this module is used to register facilities that manufacture medical devices, and to list the products manufactured at these facilities.

Alert Module (Alert)
Implemented in 2007, the Alert Module is used to send mass notifications to selected facilities. The initial version of the Alert Module supports FFRM. In the future, other modules will be modified to enable the Alert capability.

Certificate Application Process (CAP)
The CAP system allows the US manufacturer to apply for export certificates electronically with the FDA.

FURLS has the following support systems for the aforementioned web-based applications/modules.

Daily Batch Processor (DBP)
The DBP system is used to perform batch processing activities such as requesting FEI number for new food registrations and processing the response, providing updates to FMLS, and sending notifications to submitters based on time released triggers.

Message Processor – Enterprise Service Bus (MP-ESB)
The MP-ESB system is used to send e-mail notifications for FFRM, DFRM, DRLM, Alert and CAP as part of the online submission process or on request.

Paper Processor (PP)
The PP system is used to generate PDF files for paper notifications for FFRM and DFRM as part of the online submission process or on request.

FURLS Scheduler
This is used by the FURLS Applications like DRLM, DFRM and Alert System for executing the batch relat
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII in the FURLS system is available to other FDA components.  It is not disclosed outside FDA.

FDA’s Office of Regulatory Affairs (ORA):
ORA personnel who operate their Firms Master List Service system (FMLS) have restricted read access to some of the tables of the Food Facility Registration Module (FFRM) database through which they retrieve information about the facilities.

FDA’s Center for Devices and Radiological Health (CDRH):
CDRH personnel query the data indirectly from Device Registrations & Listings Module (DRLM) database to pull out information about medical devices registered with DRLM.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  FURLS is a web-based system with around-the-clock access allowing foreign and domestic facilities to register with FDA.  The majority of FURLS users are account holders who utilize FURLS to register their food, device, drug and poultry facilities. The remaining users are FDA personnel and contractors who use the system to access facility registration information. 

Information Collected, including voluntary and mandatory PII. FURLS processes a variety of registration related data, including PII collected for administrative and user contact purposes.  Specifically, FURLS processes:

·         User/Registrant’s name and facility name (parent company name if facility is a subsidiary) 
·         Facility address (parent company address if facility is a subsidiary)
·         Preferred mailing address
·         User’s email address 
·         User’s telephone number
·         User’s fax number 
·         User’s answer to a verification question for password 
·         User’s password
·         Emergency contact name
·         Emergency contact title
·         Emergency contact office phone number
·         Emergency contact mobile phone number
·         Emergency contact email address
·         Facility trade name(s) 
·         Seasonal start/end dates* 
·         Establishment type *
·         Storage type (appears if establishment type was Warehouse/Holding Facility)
·         General Product Category (appears if establishment type is NOT Warehouse/Holding Facility)
·         Statement certifying that all information submitted is true and accurate
·         Registration and PIN numbers
·         Firm Establishment Identifier (FEI) Numbers
·         Web URL*
·         For foreign food facilities only: U.S. Agent name, address, phone number, email address, and fax number.  

*Data accompanied by an asterisk (*) is submitted at the option of the user; submission is not mandated by statute or otherwise required by FDA.  Other data elements are required for operational purposes but not necessarily mandated by regulation or statute.  Information required by regulation or statute is noted in the descriptions below.

Purposes for the information collected
To accomplish the functions of the system, FURLS consists of a number of modules: Food Facility Registration Module (FFRM) and the Account Management module and others described below.

Account Management Module
The Account Management module handles the creation and administration of user accounts for access to all FDA registration and listing modules.  For FURLS, the module allows general system users who submit food registrations and updates to create and maintain secure login accounts (the terms “general system user” and “registrant” will be used interchangeably).  Users will be authenticated by the Accounts Management system prior to accessing FURLS.  The registration and listing module (FFRM) operates to enforce specific access rules for users. For FDA personnel users, the Account Management module employs the business rules and infrastructure implemented by the separate Enterprise Administrative Support Environment (EASE) system in creating and administering FDA personnel user accounts.

Food Facility Registration Module (FFRM)
The Food Facility Registration Module enables the registering of food facilities as required by the Bioterrorism Act of 2002.  The FFRM prompts registrants to enter information pertaining to their facility such as the address of the facility, the facility trade name, the establishment type, and the general product category.

In addition to gathering facility information, the FFRM supports the processing of registration related correspondence, either by email or in paper form. There are four types of correspondence:  
·         Facility Return Receipt:  Many registrants will already have Firm Establishment Identifier (FEI) numbers.  For those that do not already possess an FEI numb
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no existing notification process for this system which is not subject to the Privacy Act. If FDA's privacy practices change or FDA changes its collection, use, or sharing of PII data in FURLS, FDA will notify the individuals whose PII is in the system in the most efficient and effective form available and appropriate to the specific change(s). This may include establishing a formal process involving written and/or electronic notice.  Alternatively, notification will be made by informal processes such as email notice to the effected individuals and/or by FDA-wide email. 

32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  System information is protected by administrative, physical, and technical controls in accordance with policies and regulations established by the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within FURLS.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/10/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Financial Reporting System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Significant System Management Changes 
1. Date of this Submission:  12/5/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Financial Reporting System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Amy Kramer
10. Provide an overview of the system:  FDA has restructured its internal financial systems and standardized related business processes to better integrate with HHS’s Unified Financial Management System (UFMS) and related financial processes.  The resulting system is FDA’s Financial Reporting System (FRS), which is composed of two interrelated applications:  Hyperion, a Planning system, and the Business Intelligence Reporting System (BIRS), also referred to as OBIEE because it utilizes Oracle Business Intelligence Enterprise Edition Plus.   These applications replace the Asset Management System (AMS) and Central Accounting System (CAS). 
BIRS is a comprehensive suite of business intelligence tools and infrastructure.  BIRS generates management reports to bring greater business visibility and insight to a broad audience of users.  It allows users to have Web-based self-service access to up-to-the-moment, relevant and actionable finance-related business intelligence extracted from the UFMS system. BIRS is housed on servers at NIH. 

Hyperion Planning is a centralized, Excel and Web-based planning, budgeting and forecasting solution that integrates financial and operational planning processes and improves business predictability  In FY 2010, in response to expanding requirements, OFM provided significant upgrades to the functionality of the application.  The Hyperion application is hosted at FDA’s Contractor Hosted Data Center in Ashburn.

These reporting systems and FDA’s User Fee System, make up a single investment that supports Office of Finance activities related to fee collection and FDA budgeting.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No PII shared or disclosed
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  For the BIRS component of this system, the Extract/Transfer/Load (ETL) process extracts financial information from HHS’s Unified Financial management System (UFMS) and loads it into the BIRS database for financial and business planning and budgeting purposes.   In addition to financial data, the information transmitted by HHS includes two items of PII: employee social security numbers (SSNs) and addresses.  No other PII exists in the BIRS or Hyperion databases.  FDA does not request or require the employee SSNs and addresses. FDA does not share this information or use it in any current or planned processes.  Because this system receives the PII from UFMS the question of whether submission is voluntary or mandatory does not apply.

For additional background on the PII collected by HHS in the UFMS and its related subsystems (e.g., whether submission of the information is voluntary or mandatory), the PIA and System of Records Notice for UFMS is available through HHS.gov (SORN No. 09-90-0024, Financial Transactions of HHS Accounting and Finance Offices).

The Hyperion database contains financial management, planning, and accounting information about FDA offices.  It has no data on individuals.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  PII is limited to two items. Only SSN and address information relating to employees is included in the data received from UFMS and maintained in the BIRS database.  It is neither used in BIRS nor shared with any other systems. Documentation (SORN, PIA) for the HHS source system, UFMS, indicates that HHS provides notice and obtains consent directly from individuals electronically and in writing.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within FRS is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB. All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within FRS.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  12/9/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC HP Service Manager 9.30 [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  4/26/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  OPM/GOVT-1, 09-90-0018, 09-90-0777, 09-90-0024
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Hewlett Packard Service Manager Version 9.3
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Kellie Clelland
10. Provide an overview of the system:  The Hewlett Packard Service Manager (HPSM or Service Manager) is HP’s enterprise service management solution. Its integrated applications are designed for easy implementation, with best practice work flow elements that help organizations support their infrastructure and advance their core business activities. FDA uses Service Manager to effectively administer internal service and support operations, and manage the Agency’s organizational assets: the people, knowledge, information, processes, equipment, documentation, software, and all tangible resources collectively known as infrastructure.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  PII is not shared outside HHS/FDA.  The system shares PII between authorized FDA and HHS personnel including: (1) FDA Employee Resource and Information Center (ERIC) Human Resources (HR) helpdesk personnel (who are responsible for tier 1 support, and may be involved with entering the help ticket information into the HPSM system), (2) authorized FDA Payroll employees (who are responsible for verifying or correcting the PII information that is collected by HPSM, and potentially entering the information into the HHS Defense Finance and Accounting Service system (DFAS)), and (3) with authorized HHS HR personnel (who would also be responsible for verifying or correcting the PII information entered into the HHS DFAS). No HHS personnel will have direct access to HPSM or the data stored in HPSM.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1)                  The information collected, maintained and/or disseminated includes PII.  The PII is limited to that of FDA personnel (permanent employees and contract employees) and consists of name, Social Security number, date of birth, home/personal mailing address, home/personal phone number, personal email address, bank account and routing numbers, device identifier (such as laptop property and serial numbers), and individuals’ employment status.
2)                  The HPMS collects this information to assist individual employee/contractors who need their PII updated in their FDA/HHS records, and to otherwise make changes in order to maintain the accuracy of this information. For example, if an individual receiving paychecks via direct deposit changes banks, he or she will need to have their bank account and routing information updated.
3)                  The information collected may include the PII described above. The collection of PII is not the sole purpose of the HPSM application.
To facilitate the processing of their help desk requests, personnel may be asked to provide PII such as name, office email address, or the property or serial number (device identifier) specific to equipment assigned to the individual. Beyond this practical necessity, submission of PII is not required.  Individuals may choose to provide PII or other information at their discretion when using an open text field submission.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There is no system-specific process in place to notify or obtain consent from the individual whose PII is in the system when a major change occurs to the system or with regard to the PII being collected. Notice is provided and consent obtained at the time of hire. Consent is a condition of employment.

PII information is collected only as needed to correct misinformation within FDA records. Individual personnel are responsible for either inputting the PII information themselves, or relaying the information to an authorized ERIC HR Personnel to enter the information into the service ticket. The information is submitted only when requested by the individual and is not shared outside of FDA/HHS. The information collected relates only to FDA personnel, and can only be accessed through HPSM by authorized FDA/HHS personnel.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Access to HPSM will be restricted by use of unique username and password that will only be granted to FDA employees and valid contractors who require access to the system. Additionally, access is restricted to personal identity verification (PIV) card holders.  Access to the PII data itself within HPSM will further be restricted using least privilege policies, which will prevent unauthorized HPSM users from accessing the data. Remote access to HPSM will require a FDA virtual private network (VPN) account, along with a valid RSA token prior to authenticating to the system with a valid HPSM username and password.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/21/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Internet [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  12/2/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-02-01-02-1060-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Internet
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Josh Lehman
10. Provide an overview of the system:  This system focuses on the information technology infrastructure to provide a platform for the display of information on FDA’s public Internet web site, www.fda.gov.  The Office of Public Affairs, Web Site Management Staff, FDA Web Content Program Manager, and center/organization content developers have responsibility for the site's specific content management.  The site provides a mechanism for FDA staff to post FDA information to the public and to ensure the availability and integrity of that data so that the various FDA content managers can safely and securely provide data to the site.

FDA also provides content syndication and health awareness tools to enhance the accessibility and availability of information presented on FDA.gov.  These tools are voluntary self-service mechanisms on FDA.gov that serve as additional avenues of access to publically available web content and information.  These tools are unidirectional, in that content and information flows in one direction: from FDA to public users who have control over their use of the service.  These tools are not designed to collect information or make any use of the information that users voluntarily provide. FDA does not provide the user-submitted information to other entities.

As adapted from a parallel CDC program, FDA’s OC Internet system will display public interface tools provided to increase access to, and distribution of, content publically available at FDA.gov. It will include a consolidated publishing or “content syndication” service with a self-serve element for organizations to obtain code to syndicate FDA content among organizations with an interest in FDA activities.  This tool is now in the pilot stage. Use of the syndication tool will be optional.  Those organizations that wish to use the content syndication service voluntarily provide a website URL and e-mail address. FDA does not validate or review this information. Use or non-use of the service does not effect access to public information through other means. Users have complete control over their use of the content syndication service, they are free to change the website URL or e-mail address through which they receive the syndication content, and can end their use of the syndication tools at any time without any FDA involvement.

FDA makes no use of, and does not share the website or e-mail addresses users choose to employ when receiving the publically available content for syndication.  Users enroll, and the automated service sends them content.

FDA.gov also provides health awareness and promotional tools such as a Break the Chain of Tobacco Addiction pledge to protect kids from tobacco (pledge widget) which FDA’s Center for Tobacco Products (CTP) adapted from a similar CDC.gov flu shot pledge widget. 

The pledge widget is designed for user interaction purposes only. It is an awareness tool by which participants can promote responsible tobacco retailing and protect children from tobacco products. Users voluntarily participate, or “take the pledge,” by posting a first name, last initial, city and state in order to have their participation displayed on a map. No other information may be submitted. FDA does not verify or trace the information provided. Participants may effectively make data anonymous by providing information that does not identify them.  The pledge widget includes a notice and disclaimer advising participants  that by taking the pledge they wish FDA to display the information they provide on the pledge map.

FDA does not require, solicit, collect, use or share the information that pledge participants choose to submit.  FDA.gov serves only as a pledge participation display platform.

The content syndication service is an element of the pledge tool.  Participants may “spread the pledge” via email, Twitter, Facebook or copying and embedding pledge widget code.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This system consists of the information displayed on www.fda.gov. The content and interactive tools on the website are public facing, and do not contain PII.  Because PII is not collected, the question of whether submission of PII is voluntary or mandatory does not apply. Each application and the associated data visible on www.fda.gov is the responsibility of the FDA Website management staff and center/organizations, which manage the content of those systems and the data being provided to the website.  The system is not part of the Infrastructure project.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A.  This system does not contain PII, and is not subject to the notice, consent and other provisions of the Privacy Act of 1974.  If FDA’s policies or practices change with regard to PII relative this system, FDA will implement an efficient process to notify the effected individuals, such as by direct or agency-wide email.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  1/25/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Mail [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  1/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Mail
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Joe Neubauer
10. Provide an overview of the system:  FDAMail is an electronic mail system intended to facilitate FDA business communications between staff, FDA partners, constituents and the public.  The system data, accounts, interfaces and directories allow internal staff to locate and communicate with each other. The system is not designed or intended to collect personally identifiable information (PII). PII within the system is limited to that necessary to operate and administer the Mail system in a secure and efficient manner and consists of contact data for FDA personnel.

It is possible that in using the system end users may include PII in the message body of communications or attachments that they transmit.  Inclusion of PII is beyond the scope of control of the system owners and operators, but technology and policy is in place to protect information should it be included. For example: (1) individualized access controls and restrictions, (2) security clearance requirements for administrators, (3) use of secure email for transmission as detailed below, and, (4) FDA policy and procedures (Standard Operating Procedures, Staff Manual Guides, and other roles and responsibilities documents) that dictate use, acceptable behavior, business policy and practices, and similar internal privacy and data security obligations. 

Secure email - The system provides the following secure email capabilities to protect data in transit:
- Internet Standard Secure/Multipurpose Internet Mail Extensions (S/MIME)
- Internet Standard Transport Layer Security (TLS) required between FDA and specific domains
- FDA to partner-specific email using a virtual private network (VPN) which provides capabilities similar to TLS but stronger and incorporates capabilities such as digital signatures and encryption 
- Use of Internet Standard opportunistic TLS whenever both sending and receiving systems are capable.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system transports electronic mail (email).  The email system is employed to transmit message traffic and is not designed to collect, store, share, or disclose information. The PII collected is limited to contact information for FDA personnel (employees and contractors with mail accounts).  This information is collected and maintained in order to facilitate electronic contact with and among employees/contractors, and administer secure access to the mail system.  Employees and contractors are required (mandatory submission) to provide their name and contact information in order to work for FDA.  Upon employment, FDA creates individual work email accounts and addresses in Microsoft Exchange and Active Directory. All FDA employees go through the eArrive on-boarding process prior to being granted access to the FDA Email system.  This process includes a background investigation and fingerprinting of the new and existing employees and contractors.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The system is not subject to the Privacy Act and its specific notice, consent and similar provisions.  At the time of hiring, employees/contractors are notified in writing and consent to FDA’s use of their name and individual work email address in association with their employment by FDA.  If FDA’s privacy practices or policies change, or the handling of PII in this system changes, FDA will notify the effected individuals by email.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained in OC Mail is protected by administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting system data and integrity.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  1/20/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Physical Security System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/11/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-10-0018, 09-90-0777
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA Physical Security System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Karl Thrash
10. Provide an overview of the system:  The FDA Physical Security Systems (PSS) is a “major application” for Federal Information Security Management Act (FISMA) reporting and compliance purposes that currently includes two separate systems/applications implemented with commercial-off-the-shelf (COTS) software solutions.

The Building Access System (BAS) component of PSS is implemented in Monitor Dynamics, Inc. (MDI) COTS software.   BAS is comprised of a card access system, intrusion alarm points, emergency contact lists, maps and a central monitoring station located at FDA’s White Oak facility, which is monitored by contract guards 24 hours per day, 7 days a week.

The LobbyGuard System (LGS) component of PSS is implemented in LobbyGuard Solutions, LLC COTS software Kiosk version 3.0.  LGS consists of a visitor registration system. When an authorized FDA employee requests that a visitor be granted access to an FDA facility, that employee’s authorized administrative official will enter the visitor’s information into a web portal. This will cause an authorization e-mail to be sent the visitor. When the visitor arrives they can present a printed copy of the e-mail (with barcode) to the Lobby guard and a badge will be printed for them. The Physical Security Branch designees can process badges for contractors/visitors that do not have permanent badges.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Physical Security System (PSS) contains information about employees and other individuals affiliated with FDA, as well as authorized visitors to FDA facilities. The information is used in the process of issuing an FDA Identification/Access Card permitting access to certain FDA facilities.  The PII in the system includes: name, date of birth, social security number, photograph, personal identity verification (PIV) card number, height, weight, vehicle tag number, access level, building, room number and the nature of the relationship to FDA, for example, whether an individual is an employee, contractor, guest worker, or visiting scientist.   Submission of this information is mandatory; it is necessary in order to verify identity and administer secure access to FDA facilities. Information is provided to HHS/FDA by the individual at the time he or she become an employee, contractor or otherwise affiliated with FDA.  The information then resides in source systems from which it is provided to PSS..
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no notice and consent processes currently in place within the Physical Security branch.  Notice and consent would be addressed at the time the information is initially provided to other HHS/FDA offices, such as date of hire.
Individuals may update their PII data by submitting an update form to an appropriate supervisor, the Badging Office, or the Parking Office.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within the system is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within the system.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  10/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC Science First [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/20/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-10-01-2000-00-202-072
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC Science First
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ashish Sarin
10. Provide an overview of the system:  SCIENCE FIRST is a virtual agency-wide science center, consolidating scientific information from across the entire agency.  SCIENCE FIRST contains tools and applications supporting the agency's initiative of enhancing science within the agency,  furthering the continuing goal of science-based regulatory decision-making, fostering collaboration and communication between agency scientists, and increasing awareness of FDA research accomplishments.  The regulation that applies to this system is the Government Paperwork Elimination Act (GPEA).
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects and disseminates science-related and other pertinent regulatory information such as skills resources, research projects, scientific and regulatory publications, links to training and knowledge enrichment sources, and scientific data sources.  This information will be used to support the agency's initiative to enhance science within the agency,  promote the continuing goal of science-based regulatory decision-making, foster collaboration and communication between agency scientists, and increase awareness of FDA research accomplishments. The question of mandatory or voluntary submission of PII does not apply to Science First. There is no submission of PII. The system does not collect, maintain or transmit PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Because the system does not collect PII, this question is not applicable. If the FDA’s use of the system changes with regard to PII, the agency will employ efficient measures to provide any required notice and obtain consent from individuals regarding the collection of PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eric Perakslis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  2/24/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA OC User Fees System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/6/2010
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-01-01-4140-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  UserFee was only recently discovered to be subject to the Privacy Act.  A SORN is being created, but is not completed.
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA OC User Fee System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Amy Kramer
10. Provide an overview of the system:  The User Fee System is a component system of the Financial Enterprise Solutions (FES) Mission Critical computer security classification investment.  The system application utilizes various modules of the Oracle eBusiness Suite, v.11.5.9.  

The system was developed to respond to the legislative needs of:
Prescription Drug User Fee Act of 2003
Medical Device User Fee and Modernization Act of 2002
Animal Drug and User Fee Act of 2003
Mammography Quality Standards Act

Internal users access the system through the firewall-shielded secure FDA network.  Thousands of external industry users access the system via the Internet through a back and front-end, firewall-shielded sub-network in a demilitarized zone.  System servers are located in the FDA Network Control Center on the second floor of the Parklawn building in Rockville, Maryland.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  All information collected is required to exchange by the federal government to facilitate payments required by the User Fee legislation. The data collected is the minimum necessary to complete the coversheet and billing processes.

Internal users access the system through the firewall-shielded secure FDA network.  Thousands of external industry users access the system via the Internet through a back and front-end, firewall-shielded sub-network in a demilitarized zone.  System servers are located in the FDA Network Control Center on the second floor of the Parklawn building in Rockville, Maryland.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The User Fee System collects data related to transactions for which external industry users must pay fees. Such transactions involve user fees associated with:

·         Prescription Drug User Fee Act of 2003
·         Medical Device User Fee and Modernization Act of 2002
·         Animal Drug and User Fee Act of 2003
·         Mammography Quality Standards Act

For internal federal users, the User Fee System collects specifically identifiable information about the names and email address.  The records are of employees responsible for accessing Oracle Applications as approved by the account approval process.

For external industry, the User Fee System collects business identifiable information about name, address, telephone numbers, email addresses, DUNS, waiver information and Federal Employee Identification number.

All information collected is required to exchange by the federal government to facilitate payments required by the User Fee legislation. The data collected is the minimum necessary to complete the coversheet and billing processes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are no processes in place.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within User Fees is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within User Fees.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Lori Davis
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  8/27/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA Electronic Laboratory Exchange Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/28/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-1070-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA ORA Electronic Laboratory Exchange Network (eLEXNET)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Rahsaan Tabb
10. Provide an overview of the system:  The Electronic Laboratory Exchange Network (eLEXNET) was developed to facilitate secure information sharing among public health partners and collaboration among food safety experts.  eLEXNET provides food safety officials with access to food test results for analytes of concern at the detail level and at the product or product industry level.

eLEXNET is a seamless, integrated, secure network that provides multiple federal, state and local government agencies engaged in food safety activities with the ability to compare, communicate, and coordinate findings in laboratory analyses.  The system enables U.S. health officials to assess risks, analyze trends, and identify problem products.  It provides the necessary infrastructure for an early-warning system that identifies potentially hazardous foods.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  eLEXNET currently allows food safety laboratories at all levels of government (federal, state, local) to share real-time food safety sample and analysis data on selected microbiological analytes.  eLEXNET receives sample status and sample analysis summary, laboratory analytical methods and results, and laboratory conclusions from other systems within FDA, as well as from participating laboratories.  All data collections are necessary to meet the goals of this system.  No Personally Identifiable Information is collected or stored in the eLEXNET system. Prior to obtaining access credentials, when laboratories agree with and sign the written Memorandum of Understanding (MOU), they are informed of the data collection process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Eddie Lim
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  8/31/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA Firms Master List Services [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/10/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Firm Master List System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Chris Cross
10. Provide an overview of the system:  The Firms Master List Services (FMLS) system is organizationally located within FDA's Office of Regulatory Affairs (ORA). The system provides a uniform method for accessing and maintaining firm (e.g., regulated food establishments) data across the ORA. The purpose of FMLS is to:   

(1) provide services at near real time operation due to the mission critical 24/7 nature of ORA’s business and the importance of maintaining the accuracy of continuously changing firm data;   
(2) provide a set of services for validating and matching firm data that may be used throughout the FDA;   
(3)  provide mechanisms for adding, updating, merging and unmerging firm data as well as functionality to change, add and update food firm data such as firm ownership, physical location and registration information; and 
(4) adhere to industry standards for Web Services in order to integrate the address validation and matching services with other FDA/ORA applications and to facilitate compliance with any future FDA Service Oriented Architecture (SOA) standards.  

The FMLS system has five main components: 

1.  The Address Validation Web Service (AVWS v1.2) provides service consumers with the capability to validate the addresses and provide geocode information for firm records. The Address Validation Web Service uses the data quality tool, DataFlux, for address validation. The Google Geocode Service is used for the geocoding capabilities. The consumers for AVWS are the Device Registration and Listing Module (DRLM), FDA Unified Registration and Listing System (FURLS), Food Facility Registration Module (FFRM), Firms Management System (FMS) and Automated Commercial System (ACS) Encrypted Social Security (ESS) Update external applications.  

2.  The Match Web Service (MWS v1.0) provides service consumers search functionality for existing firms records in the Firm Master List (FML) database. The Match WS uses the data quality tool, DataFlux, to generate match codes used for matching in FML database. The consumers for MWS are Prior Notice System Interface (PNSI), Prior Notice (PN) PNACS and FMS external applications. 

3.  DataFlux is the new state of the art Data Quality tool acquired by the FDA to maintain firms data quality.  

13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information FDA collects, maintains and disseminates via FMLS includes Firm Name, Physical and/or Mailing Address, Firm Contact Information, Food Facility Registration, Cross Reference to another FDA Identifier, such as data universal numbering system (DUNS) number or another FDA Establishment Identifier (FEI).  The data maintained within FMLS, together with the system capabilities enable FDA to provide a set of services to FDA’s internal and external system consumers for firm address validation, firm matching, adding, updating, validating, merging and unmerging firm data including food firm ownership changes and registration status changes.  

The FMLS system is not intended to collect PII and does not require or solicit PII.  Personally identifiable information such as the name, work mailing address, work telephone number, and work email address for the firm employee designated as the contact person may be submitted to FMLS voluntarily as part of the contact information for the firm registration if the firm chooses to have a personal contact listed. FMLS does not collect or store any PII other than voluntarily provided firm contact information. Firms may withdraw or amend this contact information at any time.  FMLS is a back-end system, and use of FMLS is not mandatory for any users (physical persons). FMLS is used by systems and provides backed interfaces to the consumer systems listed in item 10.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Agnes Kivuvani
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Sarah Kotler
Sign-off Date:  6/9/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA Lab Systems [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  5/11/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA ORA Lab Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Timothy Rigg
10. Provide an overview of the system:  The Office of Regulatory Affairs (ORA) Lab Systems is comprised of two applications: the Chemical Inventory System (CISPro) and ExcelSafe.   

CISPro is a reagent tracking system developed specifically for the management and tracking of laboratory chemicals. This relational database program tracks and maintains accurate, real-time chemical inventory information, for use in regulated or non-regulated environments or a combination of both. 

The ExcelSafe application provides the technological tools for any MicroSoft (MS) Excel spreadsheets to be compliant with 21 CFR Part 11 (electronic records criteria) in GxP (good practice) environments. This regulation, which applies to all FDA program areas, was intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health. ExcelSafe operates seamlessly with spreadsheets and once an MS Excel spreadsheet is opened, all electronic records compliance features work automatically; no changes are required to existing spreadsheets.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The information collected in the ORA Labs Systems (CISPro element) is used to maintain accurate chemical inventory data for chemicals, procured, maintained, used/analyzed and disposed of by FDA.  The information includes chemical inventory number, expiration date, and purchase and disposal tracking data. Because no PII is contained in CISPro or ExcelSafe, or the Lab System as a whole, the question of whether submission of PII is mandatory or voluntary does not apply.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Because the system does not currently collect or handle PII, this question does not apply. Should the Agency use the system to collect or transmit PII, FDA will employ measures to provide notice and obtain consent from individuals regarding the collection and use of PII. This may include email to individuals, pop-up messages at login, or other technological means of notifying specific individuals or groups of individuals.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/23/2012
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA MARCS Interface [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  3/13/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-08-01-0202-00-110-032
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA ORA Mission Accomplishment and Regulatory Compliance Services (MARCS) Interface (MI)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Tina Nguyen
10. Provide an overview of the system:  The Office of Regulatory Affairs (ORA) Mission Accomplishment and Regulatory Compliance Services ( MARCS) Interface (MI) is a multi-phased effort that will use Oracle Application Development Framework (ADF) software and other Oracle Fusion Middleware technologies to create an environment where users can, with a single sign-on (SSO), access multiple FDA systems.  When fully implemented, the interface will provide: 

A web infrastructure that will support new applications under development at ORA, and a platform for integrating older applications as they are migrated, or reengineered, into a web environment. 

A number of standard services as a part of its environment including workflow, personalization, secure role-based access to systems, Public Key Infrastructure (PKI) integration through the Agency's SSO and Active Directory (AD) Servers, content indexing and retrieval, and other standard web application features. 

Process flow capability that will support import review functionality, allowing import reviewers to retrieve data from multiple databases without the manual processes and cumbersome use of legacy applications that are now required. 

A comprehensive user environment for information management, allowing retrieval of data from all ORA systems, ORA Reporting, Analysis and Decision Support System (ORADSS) and Automated Laboratory Management (ALM). 

An environment tailored to the ORA work community’s information needs. The environment can easily be customized to each user’s role, providing links to supporting systems, websites, and any FDA information needed to support each user’s daily information needs. 

The MARCS Interface will serve as the access control gateway for all ORA applications.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The ORA MARCS Interface will not collect or maintain data except for the minimum needed to establish a secure account ID.  Data accessed through the interface may include:  
Data about the facilities that manufacture, store, process, or ship FDA regulated products into the US. 
Data about importers, consignees, shippers, carriers, involved in importing and/or distributing imported FDA regulated products. 
Data about the size, contents, type of FDA regulated products entering the US. 
Data regarding inspections, reviews, investigations or past history (including recalls) of FDA regulated products entering the US, and entities involved in their manufacture, processing,  labeling, shipping or other regulated role . 
FDA approved standards for FDA regulated products. 

Most of this data already exists in FDA legacy systems and is currently used in processes employed to review admissibility of imported foods, drugs, medical devices, and other regulated products.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  George Brush
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/2/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA Quality Management Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  2/22/2012
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Quality Management Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cathy Burns
10. Provide an overview of the system:  The Office of Regulatory Affairs (ORA) Quality Management Information System (QMIS) supports the ORA Quality Management System including ORA laboratory accreditation in defining, tracking, understanding, and continually improving processes and methods. QMIS will support document control, corrective actions, complaints, and record control.

13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  QMIS  is not intended to collect, and does not require or solicit personally identifiable information (PII). QMIS does not contain PII. 

QMIS is a document control and management system serving all FDA ORA Offices for core business processes: 

QMS-1: Document Control and Management
The Document Control workflow includes recommending, processing, reviewing, approving, and automated routing of new and changed documents. The scope encompasses standard operating procedures (SOPs), policies, and other directives governing the way the agency does business. The procedure also covers storage of final documents, maintenance of active document lists and master lists, and providing search tools for documents. Forms and evidence generated during quality management activities are covered under Record Control.

QMS-2: Control of Records 
This procedure applies to the control and management of information and collateral evidence collected or generated during quality management activities such as product reports and management reports. The information is stored and retrieved to provide evidence of system performance and effectiveness to assure that records are properly managed.  Records include reports, correspondence, quality records and technical records.  Quality records include the following: internal audit reports, management reviews, corrective and preventive actions.  Technical records include completed forms and reports.

QMS-3: Management Review 
Top management conducts planned reviews of the quality system events and trends to ensure the continuing suitability, adequacy, and effectiveness, of the quality system in achieving the stated quality objectives and to ensure continuous improvement. From this analysis, an action plan is developed, implemented and monitored. Action items identified in the action plan are carried out using the corrective action procedure or preventive action procedure as appropriate.

QMS-4: Audits 
Scheduled independent audits are performed to ensure compliance of practice with documents and effectiveness of results in achieving quality system goals. 

QMS-5: Control of Nonconforming Processes, Services, and Products 
This procedure applies to responses to nonconformities (NCs) and the practices to be followed to detect, identify and trend them. Nonconformity is defined as a departure of a quality characteristic from its intended level. Both frequency of occurrence and severity level may determine if a nonconformity or pattern of repeated nonconformities merits a corrective action. On-the-spot or immediate corrections of noncritical NCs are simply logged for historical purposes and can be annotated on the worksheet, report, memo, or similar document.

QMS-6: Continual Improvement 
This procedure communicates the process that involves ORA customers and staff in the identification, design, development, and implementation of strategic and operational initiatives necessary to achieve the organization’s mission: “Protecting and Promoting Public Health.”  This procedure defines the general methods to be followed to define goals and measure results. It will assist users to identify potential QMS improvements that may be gained through process changes, corrections or improvements. The procedure does not require a corrective action to trigger activity. It may lead to a preventive action or a workflow change that will improve staff productivity.

QMS-7: Corrective Action 
This procedure establishes the process to identify, track, trend, and complete the investigation of the non-conformance, and correct the causes of existing non-conformances including complaints in processes, services, products, and the Quality Management System. The cornerstone of corrective actions is written and retrievable documentation of actions taken and follow-up monitoring to determine that corrective actions have been performed, documented and effective.

QMS-8: Preventive Action 
Preventi
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Cathy Burns
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  5/16/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA ShelfLife [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  11/9/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  n/a
5. OMB Information Collection Approval Number:  n/a
6. Other Identifying Number(s):  n/a
7. System Name (Align with system Item name):  ORA Shelf Life System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  John Ho
10. Provide an overview of the system:  The shelf life program is a database repository employed in support of the Food and Drug Administration/Department of Defense (FDA/DOD) Shelf Life Extension Program. The FDA/DOD Shelf Life Extension Program is a key component of the Medical Readiness Strategic Plan (MRSP). The program's focus is to defer drug replacement costs for date sensitive pre-positioned stockpiled drugs by extending their useful life. The largest participants of the program are the armed services, the Department of Homeland Security's Veterans Administration Emergency Preparedness Program and the Centers for Disease Control and Prevention's Strategic National Stockpile.  A range of medical products is stockpiled such as Tylenol, anti-malaria medicine, and pandemic influenza treatments.  The type of products stockpiled depends on the type of inventory that is requested for shelf life testing.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  In 1986, DOD asked FDA's help to see if any of the medical products would be suitable for use if they were stockpiled beyond their normal expiration dates.  The pilot test conducted in 1986 by ORA's Medical Products Quality Assurance Staff (MPQAS) determined that 89 percent of the lots of medical products examined could be extended for an average of 33 months. In 1987, the Division of Information Systems (DIS) originally developed the Drug Shelf Life System using DATATRIEVE, the Virtual Address eXtension (VAX) retrieval language to capture the data and to provide necessary reports.  The Shelf Life application was redesigned in 1995 using an Oracle database schema and resides on Oracle 10g databases.  The Shelf Life program continues today with an estimated saving of $25 million a year to DOD, with FDA receiving about $450,000 in reimbursements each year. The data in the Shelf Life system is scientific in nature and includes testing lab information, sample size, test sample size, tracking dates, manufacturer’s numbering scheme, and laboratory instructions for medical products being stockpiled.  The system does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A - No PII.  System controls are CHDC-inherited.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms, CISO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  10/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / FDA ORA TurboEIR [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/5/2011
2. OPDIV Name:  FDA
3. Unique Project Identifier (UPI) Number:  009-10-01-02-02-1070-00-110-246
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-10-0002 and 09-10-0010 (Bioresearch Monitoring Information System)
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  FDA ORA TurboEIR
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Thomas Simpson
10. Provide an overview of the system:  The Office of Regulatory Affairs (ORA), Turbo Establishment Inspection Reports (TurboEIR) is made up of two core applications. The first application is called "Field Agent," which resides on a Field Investigator’s laptop computer. It provides a listing of inspection assignments, a database of citations, and tools for authoring FDA Form 483s and EIRs. On an as required basis, a Field Investigator connects to the FDA Network to receive assignments from the ORA, Mission Accomplishment and Regulatory Compliance Services (MARCS) Field Accomplishments and Compliance Tracking System (FACTS) or to upload the completed 483 and EIR information to a central ORA database.
The second application is Turbo-on-the-Web (TOTW) which is a web application accessible by all authorized FDA employees. Employees with a FACTS account are able to log in to TOTW and query the central ORA database for inspection results or perform searches on information designed to answer specific questions. The data and the Form 483 are uploaded to the central ORA database and district file server that the investigator is assigned.  This data will then become available through the TOTW Intranet Website to authorized personnel in the FDA for analysis and trending. The standardization inherent in TurboEIR reduces inconsistency and improves uniformity in the Form 483 completion process. TurboEIR makes it possible for all investigators to become more productive more quickly.
TurboEIR is in the operational phase of the SDLC and is categorized as a moderate impact system
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The information is shared with various compliance/management operational divisions (such as Center for Biologics Evaluation and Research, Center for Drug Evaluation and Research, Center for Food Safety and Applied Nutrition, Center for Devices and Radiological Health, Center for Veterinary Medicine) in the FDA that perform enforcement, analysis, and trending. The system shares updated telephone and address information with the MARCS Domestics application, this
replaces a manual process performed by the investigator.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Turbo EIR collects data on FDA regulated and inspected establishments.  The system collects business data in the form of professional contact information, establishment address and telephone number.  Personally identifiable information collected is limited to the names of clinical research investigators (e.g., physicians) who participate in an inspection.  In some instances, these names are used for Turbo EIR data searches with a linked system of records (Bioresearch Monitoring Information System, SORN number 09-10-0010). Clinical research investigator names are provided voluntarily or on occasion by demand of FDA.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Assigned an inspection, the investigator travels to the establishment to perform it. If the investigator observes adverse conditions they are linked to the FDA citation database in Turbo EIR Field Agent. Within Turbo EIR Field Agent the investigator is then able to provide specific information relating to each observation. When all observations and specifics are recorded Turbo EIR Field Agent prints the FDA 483. The investigator then meets with the management of the firm and explains the adverse observations recorded. At this point the firm’s management has an opportunity to have their comments added to the FDA 483. At the end of the management meeting the investigator presents the final FDA 483 (with comments) to the firm’s management and the inspection is complete. Afterwards the investigator using Turbo EIR Field Agent authors the Establish Inspection Report (EIR). An EIR is created for each inspection, even if a FDA 483 is not issued. The EIR is a comprehensive report of the inspection and contains information needed to support the Violation Letter process and of interest to FDA management. The above activities directly support the FDA's responsibility to regulate food, drugs and devices.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The information contained within Turbo EIR is protected by several layers of administrative, physical, and technical controls in accordance with policies and regulations from the FDA, NIST, and OMB.  All applicable security controls are reviewed on a periodic basis to ensure that they are implemented correctly, operating as intended, and producing the desired result of protecting all information within Turbo EIR.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  John Simms
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Frederick J. Sadler
Sign-off Date:  9/23/2010
Approved for Web Publishing:  Yes
Date Published:  9/6/2012
_____________________________________________________________________________

Back to top