Font Size Print Download Reader HHS Home|HHS News|About HHS

National Institutes of Health Privacy Impact Assessments

06.3 HHS PIA Summary for Posting (Form) / NIH CC 3M Automated Medical Record Processing System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Automated Medical Record Processing and Tracking Applications

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Automated medical record processing and tracking applications containing demographic and tracking information is maintained on registered Clinical Center patients in order to route documents for creation, recording, retention, signature and location.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The automated medical record processing and tracking applications are a part of the medical record system which is an approved Privacy Act System. As such, each individual is informed of all information practices and any major system changes are published under a revised SORN.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All information is protected by applying user ID, hierarchal passwords and administrative controls including supervisor limiting employee access on a need-to-know and minimum amount basis.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Activity Based Cost System (ABC)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 23, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3099-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): NIH CC Activity Based Costing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The ABC System contains information about resource allocation across research protocols conducted in the Intramural Resesarch Program of the NIH, including specific protocol identification data, as well as other information related to medical care, supplies and services related to those protocols.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH employees for budget review and development.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Employees provide names at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval. If any information other than employee names are collected, then notification will be sent out from OFRM to each indiviudal. However, there are no current plans to collect additional IIF in the future.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ABC System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240: smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 14, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel Voucher Application (ATV)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 23, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Admissions and Travel Voucher (ATV) Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: This is an ancillary application part of the CRIS system that allows research teams to register and procure travel requistions and payments.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shares information with travel agents so that travel arrangements can be made. Sharing is done per SOR 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority is the Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.) The information collected is name, date of birth, social security number, mailing address, medical record number. This information is used to register individuals as participitants in clinical trials and to assist in providing travel arrangements for those individuals. Information is disclosed to travel agents to assist in making the necessary travel arangements. Information submission is voluntary.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification of all information practices are provide to every patient particpating in research upon initial registration and upon every re-registration, including any changes to collection and types of information.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is secured using username/passwords, secure sockets, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained,

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Medication Dispensing (Omnicell)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 10, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): In process

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Automated Medication Dispensing (Omnicell)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The system automates the Pharmacy Dept's ability to manage and dispense medications at the point of use, increasing patient safety with the use of medication profiles, improving workflow efficiency and enhancing medication security.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Admission to the Clinical Center (CC) is completely voluntary and requires consent of each patient. Additionally, each patient is provided a full written accounting of established information practices at the CC, including the capture and use of PII, and has the opportunity to ask questions. Each patient must acknowledge receipt of same through manual signature on the Information Practices Form.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII will reside on a server in the CC DataCenter protected by restricted access and video monitoring. The server will be behind the NIH and CC clinical firewall. The Omnicell SecureVault PC and stand alone PC in the Pharmacy Dept are protected by restricted access and video monitoring. The Omnicell automated medication dispensing cabinets are on the medical VLAN and located in the Nursing Units behind locked doors with access restricted by Staff ID badge or key or cipher lock. Access to the dispensing cabinets is granted by user type and is set by the Pharmacy Dept Omnicell Administrator in accordance with Pharmacy policies. Access to the dispensing cabinets will require password or fingerprint identification and inclusion in specific user types based on the user role.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff Office Schedule (ANSOS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 9, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3008-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC ANSOS: Automated Nurse Staff Office Schedule

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Quinn

10. Provide an overview of the system: The ANSOS System is used to arrange schedules and project staffing needs for nurses caring for patients at the Clinical Center and is authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): As per SOR 09-90-0019. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual is informed of information practices at the time of job application and subsequently when individual schedules are developed. In addition, the CC Nursing Department is responsible for notifying each nurse of major system changes related to IIF, which may be done electronically or in written form.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ANSOS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Biomedical Translational Research Information System (BTRIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 00-00-00

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Biomedical Translational Research Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elaine Ayres

10. Provide an overview of the system: BTRIS will contain longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators) will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII data in BTRIS will only be shared with authorized principal investigators for patients enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g. associate investigators. All others will only be granted access to de-identified data. Data will be used for statistical analysis, hypothesis development & testing, clinical comparison and subject recruitment.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Clinical and research data including diagnostic, therapeutic, imaging, and research testing results will be stored in BTRIS. PII will be collected and will include names, medical record numbers and diagnosis. PII data in BTRIS will only be shared with authorized principal investigators for patients enrolled in their active protocols or others authorized by the appropriate IRB or OHSR e.g. associate investigators. All others will only be granted access to de-identified data. Data will be used for statistical analysis, hypothesis development & testing, clinical comparison and subject recruitment. The collection of all data is voluntary. Every patient must voluntarily execute a protocol consent and admission consent prior to entry onto an intramural research protocol and treatment at the Clinical Center. In addition, each patient is provided a formal notificaion of Information Practices at the Clinical Center must certify that they have be so advised.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Every patient must voluntarily execute a protocol consent and admission consent prior to entry onto an intramural research protocol and treatment at the Clinical Center. In addition, each patient is provided a formal notificaion of Information Practices at the Clinical Center must certify that they have be so advised. BTRIS will contain longitudinal data, text and images from NIH intramural clinical care and research systems to facilitate data analysis, hypothesis generation and patient recruitment in support of the NIH intramural research mission. Principal investigators and designees (e.g. associate investigators) will be allowed to access identified data only as permitted by their active protocol(s). Other users with appropriate IRB or OHSR clearances will be able to access and query only data in a de-identified manner. If a major change occurs, a revised Information Practices From will be developed and presented to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The BTRIS system and all data contained therein are protected using administrative, technical and physical security and privacy control. The system is behind locked doors, monitored by closed circuit TV and security cipher locks. In addition, only principal investigators or others authorized by an appropriate IRB or OHSR have access PII, while all others only have access to de-identified data. Access is also restricted based on user roles and password authentication.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Jerry P. King, CC Privacy Officer, (301) 451-4954, jking@nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 14, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Collection System (BBCS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 29, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3007-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0011

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Blood Bank Collection System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Boyd Conley

10. Provide an overview of the system: The systems contains data regarding donors at the Department of Transfusion Medicine used to conduct clinical care and research at the Clinical Center as authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual donor is informed of required information collection and uses before donation. Major systems changes would be sent directly to each donor and new consents obtained upon new donations.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Information System (CRIS Core)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 27, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-3006-00-110-219

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): CC-1

7. System Name (Align with system Item name): Clinical Research Information System (CRIS Core)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Jon McKeeby

10. Provide an overview of the system: Core system and component applications to document clinical care and research for registered patients at the Clinical Research Center: NIH. This activity is authorized by Section 301 of the Public Health and Safety Act

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory Medicine at the CC.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information collected includes individual pateint demographics, clinical research data and those related to diagnosis and treatment at the Clinical Center. These may include results of laboratory tests, imaging studies, blood product utilization,social work encounters, medical & ethical consults, surgery and other related clinical interactions while a patient at the Clinical Center. Patient information collected by the NIH as described in the NIH System of Records 09-25-0099 is utilized as the official clinical research record for each research participant. The information contains IIF and the submission is voluntary based on an individual's consent to become a registered patient at NIH.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained from patient interviews, referring physicians, a multi-disciplinary care team, and diagnostic, therapeutic, and research results. Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient a the time of initial admission. Each patient would be advised at the time of admission about major system changes and the CC Information Practices notice would be revised and provided to each patient.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, and physical security and privacy controls. System is behind locked doors, monitored by CC TV and cipher locks. In addition, only authorized users have access which is restricted based on user roles and hierarchal passwords.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Volunteer Program (CRVP)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 6, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0012

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Clinical Research: Candidate Potential Volunteer and Research Subject Records

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: System is used to contain information about potential candidates for participation as volunteers or research subjects participating in clinical research protocols at the Clinical Center.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each person is verbally informed of information uses and verabl consent is obtained from each person who wishes to be evaluated as a potential research subject. Each indiviudal is informed of information collection and uses prior to acceptance as a volunteer or patient. Each applicant would be notified directly by phone of any major system changes and new consent would be obtained.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the collection, maintenance and destruction of computer files, as well as as specified in the PA Systems Notice.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240 - smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Data Center (CCDC)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 13, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3007-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name (Align with system Item name): Clinical Center Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system:

The CC Data Center (CCDC) supports approximately 4,500 users within the NIH Clinical Center, and is located in Bldg 10 on the NIH campus in Bethesda, Maryland. The CCDC hosts a myriad of servers, components, workstations and infrastructure devices used to manage NIH information. The Department of Clinical Research Informatics (DCRI) is responsible for the management of the CCDC

The CCDC comprises a variety of servers including network servers, application servers, and Web and Internet servers. CCDC has been identified as a Data Center.

While many applications reside within the servers in the CCDC, the CCDC itself does not processes or store any data that could be considered IIF.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A--No IIF collected, stored, or processed.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--No IIF collected, stored, or processed.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC DTM SQL System Applications

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 7, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0011

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): CC DTM Applications Non-COTS (DANC)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The DTM Applications Non-Cots (DANC) provides the Department of Transfusion Medicine (DTM) with administrative reporting functionality for donors and research management. The system provides DTM staff with tools to make decisions about the collection, use and distribution of donated blood.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized persons with assigned roles may have access to the system. The DANC system is protected in the CC Data Center through door locks and other physical controls. Access to DANC is secured by technical controls; including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Executive Information System (EIS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 24, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): YES, 09-25-0099 with revision to routine uses pending

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): CC Executive Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Executive Information System (EIS) is an application designed to provide real time reporting of key hospital performance indicators. The EIS provides query and reporting capabilities for executive decision makers, and allows staff to view daily, monthly, annual patient census information and key hospital performance metrics. Census data can be reported by hospital unit and protocol, IC, branch, and Principal Investigator.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Yes

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Priniciple investigators provide name at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval. If any information other than principle investigator names are collected, then notification will be sent out from OFRM to each individual. CC social workers provide name when they confirm the outpatient appointment in the scheduling.com application. If any information other than CC social workers name are collected, then notification will be sent out from OFRM to each individual.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is secured using user names/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access and background investigations.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, 301-496-4240

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Lawson

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 29, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Lawson

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: Lawson is an Inventory Management System. Everything that is bought, received, stored, transferred, issued, or disposed of is recorded and controlled. The program is a live inventory instantaneously recording any supply activity that is entered in the system. It makes daily recommendations for both replenishing the Central Hospital Supply shelves from the Storage & Distribution Warehouse; as well as provide reorder for supplies that have fallen below their "par levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the best "picture" and information on medical supplies. Finally, in the absence of a true financial link to inventory.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This is an inventory management system - No IIF is collected or maintained

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This is an inventory management system - no IIF is collected or maintained.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: jfranco@nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff Credentialing Processes (SACRED)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 7, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0169

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Medical Staff Credentials Files

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Information is collected from individual members of the Clinical Center Medical Staff and is used to document their credentialing and privileging under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Private medical facilities, state medical boards and accrediting bodies as part of the credentialing process.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained directly from each applicant and each is informed about information collection procedures and rules when each applicant signs the consent authorizing the collection. Major systems changes would be sent electronically to each member of the medical staff and new consents obtained at the time of reappointment to the staff.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the maintenance, archiving and destruction of computer files and as published in the PA SORN.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request Tracking System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 24, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): Medicolegal Request Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Medicolegal Request Tracking System is used to receive requests for and track copies of medical record documentation sent out by the Medical Record Department to Clinical Center patients and the third parties they authorize to receive such information.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each individual patient is informed of CC information practices before they are accepted as patients. In addition, each patient must provide a written release before information if sent out for any other purpose. The Medical Record Department would be responsible for revising release request authorization and information practices forms if any major system changes take place.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is maintained under controlled physical access and user identification as well as passwords are in effect for all users.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Picker: Clinical Center Survey Results

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Required

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): NRC Picker/NIH: Clinical Center Survey Results

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: Information resulting from various surveys and questionnaires conducted by the Clinical Center from patients and staff regarding quality of care and hospital operations. The categories of evaluative information varies according to the service being surveyed and may include data related to the research experience, the clinical services received, the respondent's level of satisfaction, time of delivery and future plans.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No identified data is shared. Only de-identified aggregate data is shared with CC Administration. Once individual responses are aggregated, indiviudals are no longer able to be retrieved by name.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Consent is not obtained because participation is entirely voluntary and because the data derived from the surveys and questionnaire is only provided in a de-identified aggregate manner. Any indiviudal can opt not to participate. Each particpant is provided a written introduction and explanation of the survey. There has never been any major changes to the system and none are anticipated at this time. If such changes do occur, each participant will be notified directly. There are no other notification procedures in place.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is kept in a physically secure location utilizing guards, identification badges and key cards. Data is secured behind adequate firewalls and is protected by use of passwords and role-based access.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 14, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC Protocol Tracking (PROTRACK)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Apr 23, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Systems Notice Submitted for Approval

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name (Align with system Item name): CC Patient & Research Services: Protocol Tracking

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: The Protocol Tracking System is used to collect, maintain and report administrative data about intramural research protocols under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Employees for protocol approval, control and reporting.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Employees provide names at the time as a part of the protocol approval process and the names of Government employees are a matter of public record. There are no plans to add additional IIF information at the current time, but the Office of Protocol Services would provide notification to each investigator if additions were made in the future.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the Protocol Tracking System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin: CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CC ProVation

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 15, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): CC Provation

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sue Martin

10. Provide an overview of the system: CC Provation is a Major Application whose mission is to digitally report findings from gastroenterological endoscopic exams of the upper and lower gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Printed reports of endoscopic procedures are printed from the system and stored in the patient's medical record.

The submission of the personal information is voluntary. SSNs are not entered into the CC Provation database here at NIH although there is a field that could be used. Instead, we identify and track patients by their medical record #, name and procedure dates. We have no plans to use SSNs

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Protocol consent forms are signed by each patient and an information practices notification form is provided to each patient at the time of initial admission. Data is retained on servers maintained by DCRI in the CC Data Center and a hard copy is printed which is inserted into the patient’s medical chart. This is kept in medical records.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and the CC.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Sue Martin, CC Privacy Officer, (301) 496-4240, smartin@cc.nih.gov

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Administrative Database (ADB)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3104-00-402-129

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Administrative Database System (ADB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The Administrative Data Base (ADB) is a legacy system project that is over twenty years old. The new NIH Business System (NBS) is projected to replace the ADB by FY06. The system provides support for a broad range of NIH business (financial and administrative) functions including the purchase, receipt, and payment of goods and services (internal and external); the tracking and supplying of inventories; services and supply fund activities; and property management. Development of the ADB began in 1978 to automate the processes related to the procurement of goods and services and to translate the procurement actions into accounting transactons that are processed by the Central Accounting System (CAS). Since then the CAS has been modified to interface with the ADB. Several other systems have been added and modifications/enhancements continue to be made to the ADB to reflect changing policies, requirements and the need for increased functionality. NIH heavily relies on this system for much of its business transactions and management information. The legislation authorizing this activity is found in the Privacy Act System of Record (SOR) Notice #09-90-0018. It is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is shared with the IRS and the Department of the Treasury. SOR 09-90-0018.

The agency collects data pertaining to the procurement of goods and services for the NIH as well as data pertaining to stipend payment to NIH Fellows. Some of the data collected such as the EIN or SSN and ACH Banking information is required in order to effect payments and prepare 1099s and 1042s. Submission of this data is mandatory.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification or consent is not done via the Operations and Maintenance Support group; the system is merely collecting and storing data entered by the users. Any notification will have to be done by the Business Owners and ICs.

Changes to the ADB system software does not affect the data collected and maintained in the ADB Vendor file. However, if changes in uses occur, notification to the individuals are done by the Institute or Center (IC) where the original request was initiated or by the Office of Financial Management (OFM) and follows the processes in place for those organizations.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is run under a secure server and access is restricted through RACF as well as security within the system.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT ALTIRIS

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 5, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): Altiris Client Management Suite

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Connie Latzko NIH/CIT/DCS

10. Provide an overview of the system: Altiris Client Management Suite is an agent based systems management solution used to provide hardware and software inventory, patch management, and software delivery for CIT commodity desktops.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is collected.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is collected

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Business Intelligence System (formerly nVision)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-01-3105-00-404-142

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 and 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): NIH Business Intelligence System (NBIS) (nVision)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Foecking

10. Provide an overview of the system: The NIH Business Intelligence System (NBIS) is an enhanced data warehouse that is a consolidation of the legacy data warehouse, and the next generation data warehouse, nVision. It is designed to improve reporting capabilities of the NIH business source systems. This consolidation integrates the query and reporting capabilities of NIH business systems into one system. The legal authority is referenced in HHS Privacy Act Systems of Record 09-90-0018 and 09-90-0024.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Only authorized personnel have access to this data. Data may be obtained through FOIA requests. SOR 09-90-0018 and 09-90-0024

HHS, Congress and via FOIA requests.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Agreements have been obtained from the NIH source systems in collaboration with the business community requirement groups to provide the data needed to support the mission of NIH. The warehouse and source systems teams are in constant communication with regard to the data and changes in that data or access permissions granted to users. Users sign the NIH BIS registration form, consenting to the use of PII for NIH BIS registration purposes. When a major change occurs to the NIH BIS system, users are notified by email. A privacy statement is posted on the NIH BIS website.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NBIS administrative controls include C&A, a System Security Plan, a Contingency Plan, system backups, and documented procedures. Technical controls include a User ID and strong password to access the system and access is only granted when there is a documented request by an authorized official. Other technical controls include Firewalls and VPN. Physical controls to the server room include guards, ID Badges, Key Cards and locks.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Central Accounting System (CAS) (FISMA)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 5, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3101-00-402-124

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Central Accounting System (CAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The NIH CIT Central Accounting System is a legacy system that processes all accounting and financial transactions for the NIH from systems: ADB, Central Payroll, PMS and IMPAC II.

The CAS will be replaced by the new NIH Business System (NBS). Please refer to project # 009-25-01-4601. The CAS project resides in the Division of Enterprise and Custom Applications, Center for Information Technology, NIH. The CAS is a legacy system project that is over twenty years old, and processes accounting and financial transactions for the NIH. It processes data from several sources including: the Administrative Data Base (ADB); Central Payroll; Payment Management System (PMS); and Information for Management, Planning, Analysis and Coordination (IMPAC). The CAS provides data exchange to the ADB, PMS and IMPAC. Data is extracted from the CAS nightly and made available to the NIH through the NIH Data Warehouse. The CAS produces a wide range of reports that detail spending within the Agency. Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service. The legal authority for SOR #09-90-0024 is found in the Budget and Accounting Act of 1950 (P.L. 81-784) and Debt Collection Act of 1982 (P.L. 97-365).

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Department of Treasury for payments and IRS for 1099 reporting. SOR 09-90-0024

Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No processes are in place other than those specified through the ADB, Central Payroll, IMPAC and PMS systems.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The CAS is a mainframe legacy system that operates in a batch environment. The CAS is not accessible to users other than the individuals who maintain it. Those individuals must have proper RACF security in order to access the system.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Computer Installation Management System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Computer Installation Management System (CIMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Burke

10. Provide an overview of the system: CIMS is a COTS product. CIMS is an automated, non-intrusive system used to collect for resources consumed by CIT users, computer charges are collected from various CIT system administrators and does not affect the performance or operation of the computer center. This data is used to create invoices and summary reporting files for the central accounting system. CIMS supports fee for service and flat fee standard rates. CMIS collects no sensitive information.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Connect

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): This system contains no PII.

5. OMB Information Collection Approval Number: This system contains no PII.

6. Other Identifying Number(s): None.

7. System Name (Align with system Item name): Adobe Connect

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Teresa Church

10. Provide an overview of the system: Adobe Connect allows individuals to hold online meetings using PowerPoint, screen sharing, teleconferencing, Voice over IP, video, and other features. Users can also upload on demand content.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not share IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Users must contact us to create an account. We do not put information on individuals into our system without their knowledge.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only users who have accounts can access the system. Once a user has an account, the only information they can access is another’s email address, name, and phone number, similar to a Global Active Listing (GAL) in Outlook.

If a user stores any other information in the system, it can be protected using Access Control Lists (ACLs).

The machines are located in the NIH Data Center, and are protected by the physical controls provided by the Data Center.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adriane Burton

10. Provide an overview of the system: NIH Data Center Facility is a general support system hosting information technology equipment for information processing services.

The computers located in the Data Center are general support systems that may host sensitive data and applications. Data and applications are the sole responsibility of the application owners. CIT provides the environment and utilities that enable customers to effectively manage the security of their applications and data.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not share or disclose IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT DCB Systems

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3103-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): DCB Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anthony Fletcher NIH/CIT/DCB

10. Provide an overview of the system: This system (“DCB Systems”) is used to provide CIT support for the Institutes and Centers (IC) at NIH. DCB collaborates with the NIH intramural research program to provide expertise and develop software on computational research problems of significance to the ICs. DCB Systems host this software which includes development and pre-production versions. The application areas include molecular modeling, protein structure prediction, biomedical imaging, mathematical modeling, and biomedical informatics.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR 09-25-0200 This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Any IIF data in the system are obtained from the ICs with which DCB collaborates, particularly NINDS. The processes by which the IIF data are collected are determined by the principal investigators in charge of the protocols. The clinical staff at NINDS handle all consent forms and notifications. DCB has no processes in place in addition to those processes provided by NINDS.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Restricted physical and logical access; no project personnel will be allowed to see project data.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Democracy II Server Room

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): There is no PII - this is for a server room

5. OMB Information Collection Approval Number: There is no OMB ICA Number - this is for a server room

6. Other Identifying Number(s): There are no unique identifying numbers

7. System Name (Align with system Item name): Democracy II Server Room

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Deborah Bucci

10. Provide an overview of the system: This is a development and test environment used by CIT's Division of Enterprise and Custom Applications.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no PII - this is for a server room

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII - this is for a server room

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT ePolicy Orchestrator (ePO)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): There is no SOR for this application.

5. OMB Information Collection Approval Number: There is no PII in this application.

6. Other Identifying Number(s): There are no other identifying numbers.

7. System Name (Align with system Item name): ePolicy Orchestrator

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Connie Latzko

10. Provide an overview of the system: This is a COTS product used for antivirus protection, tracking, removal and reporting for CIT systems.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not contain any IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not contain any IIF.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not contain any IIF.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT IFORGOTMYPASSWORD

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): not applicable.

5. OMB Information Collection Approval Number: not applicable.

6. Other Identifying Number(s): not applicable.

7. System Name (Align with system Item name): IForgotMyPassword

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adrienne Yang

10. Provide an overview of the system: IFogotMyPassword allows users to reset their forgotten passwords on their own. The users’ identities are verified through a simple set of personalized questions via quiz-based authentication. Users self-register for this service.

When registering, users choose three questions from a list of 21 choices and provide the answers. One question is used by the NIH Help Desk to identify users when they call for assistance. The NIH Help Desk employees cannot see any of the answers; they ask the user the question, and type in the response. The IForgotMyPassword application then confirms if the answer is correct.

The choices of questions are:

What is the last name of your favorite school teacher?

What is the name of your favorite sports team?

What is the name of your favorite singer or band?

What is the name of your favorite television series?

What is the name of your favorite restaurant?

What is the name of your favorite movie?

What is the name of your favorite song?

What is the furtherest place to which you have traveled?

What is the name of your favorite actor or actress?

Who is your personal hero?

What is your favorite hobby?

Your mother's first name?

The city name or town name of your birth?

A four digit PIN (personal identification number)?

What is your least favorite sports team?

What is your mother's occupation?

What was your SAT score?

What is your favorite brand of candy?

What is your least favorite food?

What is your least favorite beverage?

What was your first pet's name?

None of this information is in the official list of IIF categories.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share or disclose IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) no

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Infrastructure Graphical Database (IGDB)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: There is no unique identifier for this system

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): There is no SOR needed - no IIF exists in this system

5. OMB Information Collection Approval Number: This does not apply - there is no IIF in this system

6. Other Identifying Number(s): There are no other identifying numbers

7. System Name (Align with system Item name): Infrastructure Graphical Database (CIT Archibus)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tony Trang, NIH/CIT/DNST

10. Provide an overview of the system: This is the National Institutes of Health (NIH) infrastructure assets management system used to track cabling and telecommunications infrastructure information.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no IIF.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Integrated Service Center (ISC)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): There are no additional numbers.

7. System Name (Align with system Item name): NIH Integrated Services Center (incldues NIH Login)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Bucci

10. Provide an overview of the system: The Integrated Services Center includes NIH Login and TIBCO. NIH Login provides a single authentication mechanism for NIH enterprise systems and IC specific applications.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is shared or disclosed.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no data collected.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT KNOVA

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: none

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Not applicable.

5. OMB Information Collection Approval Number: Not applicable.

6. Other Identifying Number(s): Not applicable.

7. System Name (Align with system Item name): KNOVA

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Geoff Marsh

10. Provide an overview of the system: This is a Commercial-Off-The-Shelf (COTS) product that provides help desk knowledge base services. It allows agents to type in the customer issue and then be presented with a variety of options depending on their search, including tailored search results, Q&A dialogs, and fields to fill in. It can exchange problem and incident management data with the Customer Relationship Management (CRM) system however no IIF data from the CRM system will be available to Knova. All customer information and IIF is collected in the CRM system, only technical problem related information is entered into Knova. Any integration between the two will strictly pass non-uniquely-identifiable problem information from the CRM to Knova, and then pass resolution information back from Knova to the CRM. No IIF will enter Knova.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no IIF contained within this system

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no IIF contained within this system

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF contained within this system

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele Mulholland France NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT National Database for Autism Research (NDAR)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3110-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200; 09-25-0156

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): National Database for Autism Research

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matthew McAuliffe

10. Provide an overview of the system: NDAR, the National Database for Autism Research, is a collaborative biomedical informatics system being created by the National Institutes of Health to provide a national resource to support and accelerate research in autism. *

NDAR will make it easier and faster for researchers to gather, evaluate, and share autism research data from a variety of sources. By giving researchers access to more data than they can collect on their own and making their own data collection more efficient, the time to discovery can be reduced.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF information is not shared on research participants. However the PI’s granted access to data will give permission to post their name on the NDAR Web site with the research aims. The purpose of this is facilitate transparency in how NDAR data is being used. PIs who submit information to NDAR will not have their information posted on the Web site.

NIH will collect IIF on PIs who submit information about research participants to NDAR. This information will be used by NIH to document, track, monitor and evaluate NIH clinical, basic, and population-based research activities.

NIH will also collect IIF on PIs who wish to gain access to the information. This information will be used to document, track, monitor, and evaluate the use of NDAR datasets and to notify recipients of updates, corrections or other changes to NDAR.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) As part of the research protocol, all subjects will be required to fill out consents that describe how their information will be used even though NDAR will contain no IIF on research participants. If these change or expire, all participants will be contacted.

PIs submitting information to NDAR and accessing information from NDAR will sign relevant agreements for submission and access, both of which include a Privacy Act notification.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: 1) Management policies require that all new users be part of an approved site, with the request coming through a system administrator.

2) Technical Controls require that each user log in to the NDAR application with a unique user name and password. Additionally, the password is set to expire after 75 days, must be at least 8 characters long, with at least 2 of the following character types: Control Character, Number, Capital Letter.

3) Physical Controls require badged access to all server rooms, with badge lockdown policies in line with existing NIH procedures.

Physical rack will be key-locked.

Physical rack will be located in data center behind both biometric and keycard access with 100% identification badge check by 24/7 security guard. The Data Center is behind 3 independent 24/7 security guards that will perform identification badge checks.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Application Manager (NappMan)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: This system does not require a UPI.

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Application Manager (NAppMan)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Doug Meyer

10. Provide an overview of the system: The intention of NAppMan is to alert a responsible individual when an application is not available or is suffering a problem of some sort. It summarizes information received from underlying monitors that more directly monitor the application and maintains statistics.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NAppMan system does not collect IIF and therefore cannot disclose or share IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is being collected.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is available in the NAppMan system.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Consolidated Co-Location Site (NCCS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): This is not applicable; there is no IIF.

5. OMB Information Collection Approval Number: This is not applicable; there is no IIF.

6. Other Identifying Number(s): There are no additional identifying numbers.

7. System Name (Align with system Item name): NIH Consolidated Co-Location Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adriane Burton

10. Provide an overview of the system: The NIH Consolidated Co-Location Site (NCSS) is an off-campus site used to house IC servers, including CIT servers. The NCCS is a secure, environmentally controlled facility located approximately 30 miles from the NIH campus in Northern Virginia. Multiple telecommunications links between NIH and the NCCS provide extremely high bandwidth. These links are part of NIHnet which is managed and operated by the CIT Division of Network Systems and Telecommunications (DNST).

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not share or disclose IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This C&A is for a facility only; this does not include any data.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This C&A is for a facility only; this does not include any data.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Listserv

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): There is no PII, and therefore no SORN needed.

5. OMB Information Collection Approval Number: There is no OMB information collection approval needed.

6. Other Identifying Number(s): There are no other identifying numbers.

7. System Name (Align with system Item name): NIH Listserv

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adriane Burton, NIH/CIT/DCSS

10. Provide an overview of the system: The NIH LISTSERV facility is an e-mail-based server that allows users to create, manage, and control electronic "mailing lists" on a network. LISTSERV manages list subscriptions, maintains archives of posted messages, optimizes mass mail delivery, and so forth. LISTSERV allows any networked user to subscribe to lists, receive list postings, query LISTSERV, set up a new list, access list archives, etc. These functions are available either via e-mail or via a secure web server.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no PII.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Portal

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): NIH Portal

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Edwards

10. Provide an overview of the system: The NIH Portal is a web-based application that gives NIH staff a single point of access to the data, documents, applications and services available at the National Institutes of Health.

The NIH portal enables employees to bring together in one site the links to NIH data and documents used to support the mission of the NIH.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A - There is no IIF.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIHnet

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): NIHnet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renita Anderson

10. Provide an overview of the system: NIHnet provides centralized network intercommunication/transport services and network security services between NIH Institutes and Centers and external resources such as the Internet and HHSnet.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Remedy

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0216

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Help Desk Ticket Tracking System (CIT Remedy)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Chris Ohlandt

10. Provide an overview of the system: The system is used by the IT Support Community at NIH to track customer technical issues from the time of first contact to the point of problem resolution. Authorized users from NIH and certain sister agencies can log in, enter tickets, track their own tickets, and view tickets for other users within their own area.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed only to other support organizations within NIH or with DHHS organizations outside of NIH with whom we share an SLA. SOR 09-25-0216

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Consent is voluntary and is provided by users of NIH services in order to obtain IT support. Any changes to data collected will be addressed at the next contact with the customer. No disclosure is made outside the scope of this statement therefore no additional consent is needed.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical hardware is located in a secured machine room environment and accessible only via cardkey and/or biometric retinal scanning.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Scientific Coding System (SCS)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-3106-00-110-219

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Scientific Coding System (SCS) OnDemand

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Aileen Kelly

10. Provide an overview of the system: SCS is a scientific coding and reporting IMPAC II extension system application. The data included in the system is required for NIH to fulfill its scientific reporting obligation to the Public, Congress, and the White House, for national health policy and goals.

SCS uses the IMPAC II Reporting Database (IRDB) as the primary data source. SCS users also have the ability to add projects (e.g. contracts) to the system that are not included in the IRDB.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not disclose IIF. SOR is 09-25-0036

09-25-0038

2) PI Birth Year (mandatory and extracted from bio-sketch info from the abstract/summary statement, or other internet data sources, and then entered into SCS by the Scientific Coder) – used for analysis of the NIH scientific program

3) PI Gender (mandatory and extracted from bio-sketch info from the abstract/summary statement, or other internet data sources, and then entered into SCS by the Scientific Coder) – used for analysis of the NIH scientific program.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Will use Privacy Act Notification Statement as defined by IMPAC II. Wil use the same format as that of IMPAC II to notify users.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The SCS is hosted by the NIH Data Center which provides the administrative, technical and physical controls. Technical controls will include the use of user ids, passwords, and a firewall. Physical access controls will include the use of identification badges and key cards. Administrative controls will include a security and contingency plan. Additionally, files will be backed up using the schedule defined by the NIH Data Center. User manuals will also be provided.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT SharePoint

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No SORN is required.

5. OMB Information Collection Approval Number: There is no OMB collection approval necessary.

6. Other Identifying Number(s): There are no other identifying numbers.

7. System Name (Align with system Item name): SharePoint

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adriane Burton

10. Provide an overview of the system: CIT Sharepoint is a collection of services designed to connect people and information by offering basic web portal and intranet functionality, including version-controlled document storage and basic search functionality. Sharepoint allows employees to collaborate around documents, web pages and databases therefore increasing the efficiency of operations and improving team productivity.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not share or disclose IIF.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not share or disclose IIF.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not share or disclose IIF.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CIT Status of Funds Internet Edition

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jun 8, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): There is no PII.

5. OMB Information Collection Approval Number: There is no PII.

6. Other Identifying Number(s): There are no additional identifying numbers.

7. System Name (Align with system Item name): Status of Funds Internet Explorer (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robin Lyons

10. Provide an overview of the system: SOFie is a Web based application employing Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several offices and branches within CIY, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The application downloads this information from the NIH Data Warehouse weekly. SOFie is not a source database for other information systems.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no PII.

The CIT/FMO uses SOFie to track expenditures of direct, reimbursable, and non-appropriated funds in the fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The data used by SOFie is downloaded from the NIH Data Warehouse weekly. SOFie is not a source database for other information systems. SOFie does not contain PII.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no PII.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Michele France, NIH/CIT/PECO

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Asynchronous Electronic Discussion (AED)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3222-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Asynchronous Electronic Discussion (AED)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: A strategic objective of the Center for Scientific Review is to enrich methods for review of grant applications. This new method, based upon the use of a threaded message board with features tailored to NIH review, permits the asynchronous discussion and private scoring of grant applications without the need for concurrent assembly or teleconference. As an alternative review format, it complements and extends the ways that CSR conducts peer-review at NIH.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares or discloses email address, name and IMPAC II identifiers (Commons ID name, and NIH login name) with reviewers, NIH program officers, and CSR SRO's for the purposes of peer review.

The submission is mandatory and does contain IIF (Information Identifiable Form which is name and email using SSL.).

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not gather any information from the public and it is not a publicly accessible system. The system only uses downloaded data in read format from IMPAC II.

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual except for the applicants themselves and except as permitted by the Privacy Act.

AED does not change any information and does not have any consent procedures for this. There might be minor changes in IMPACII of some information such as grant application identifiers. Applicants can also access their personal information through NIH Commons with their personal passwords and logon names. Significant changes to grant application information that AED downloads from IMPACII are achieved by voluntary resubmission of grant application by applicants and there are no consent procedures in place for CSR staff. Applicants are informed of major changes in internal use of their data via publication in the NIH Guidelines published on the CSR Internet.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The PII is secured through Technical controls: User ID and passwords have to be used for network authentication. SSL is used to secure downloaded data. Administrative controls: AED training is available for CSR users and reviewers. Training materials are updated and AED system is backed up on a regular basis.

Physical controls: Security guards, identification badges, and key cards are used to gain access to Building 12, where the system is located.

The required password strength for CSR and NIH users is implemented by NIH through logical access controls that provide protection from unauthorized access, alteration, loss, disclosure, and availability of information in accordance with HHS' Information Security Program. The required password strength for external users is enforced through account lockout controls with limiting number of consecutive failed log-on attempts; sign-on warning banner at AED access point; automatically timed out session; deletion of external user information with automatic deletion of whole AED web site 2 hrs after the meeting is completed.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Automated Referral Workflow System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3223-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): HHS/NIH/CSR/ARWS

7. System Name (Align with system Item name): NIH/CSR ARWS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The National Institutes of Health (NIH), Center for Scientific Review (CSR) is responsible for managing the receipt, referral and review of grant applications submitted to NIH. The grant applications referral process from initial receipt of an application until the time at which a peer review of the application is completed has been automated by NIH.

CSR’s mission is to receive, refer and review rapidly increasing flow of grant applications, now reaching several thousand applications per year. CSR goal is to speed up the grant application review process by reducing the amount of time from receipt to referral. CSR believes that complete automation of the referral workflow is necessary to achieve CSR’s goals based on NIH, HHS, and the President Management Agenda (PMA) strategic goals and objectives.

The CSR Automated Referral Workflow System (ARWS) achieves CSR’s strategic goals and objectives by (1) shortening the review process and (2) increasing the transparency, accountability, and uniformity of NIH peer review.

The primary goal of the Automated Referral Workflow System (ARWS) project is to reduce the amount of time required for referral of grant applications by CSR through the development and use of software tools to automate and assist with the assignment of grant applications to the Integrated Review Groups (IRGs) and Scientific Review Groups (SRGs). Secondary goals include providing Institutes/Centers (ICs), IRGs and SRGs with more information about how referral assignments are made and information about possible alternative referral assignments.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed only to Scientific Review Officers, Administrative Assistants and Program Officers from NIH.

Disclosure may be made to the National Technical Information Service (NTIS), Department of Commerce, for dissemination of scientific and fiscal information on funded awards (abstract of research projects and relevant administrative and financial data).

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts outside NIH as a part of the application review process.

Disclosure may be made to a Federal agency, in response to its request, in connection with the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision in the matter.

Disclosure of past performance information pertaining to contractors may be made to a Federal agency upon request. In addition, routine access to past performance information on contractors will be provided to Federal agencies that subscribe to the NIH Contractor Performance System.

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) justifies the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining that information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to a grantee or contract institution in connection with performance or administration under the conditions of the particular award or contract.

Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to procee

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) System contains first, middle, last name, suffix and email addresses of Scientific Review Officers (SROs) and IRG Chiefs employed by NIH. This identifying information can be used to link an SRO and IRG Chief to NIH IMPAC II records. Users log on ARW system with NIH login name. ARWS has unique identifier for system user. (2) There is also NIH IMPACII identifying information for applicant-Principal Investigator (PI): first, middle, last name and suffix of applicant. The grant application information is mandatory and is IIF. It has a voluntary cover letter from Principal Investigators with their names and work addresses. The letter is disclosed only to intended personnel within CSR maintaining ARWS system. (3) Yes. (4) Voluntary.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All data contained within this system is pulled from IMPAC II, at which point notification and consent is obtained, used, or shared.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: ARWS requirements for security must comply with the Privacy Act System of Records Number 09-25-0036, “Extramural Awards and Chartered Advisory Committees: IMPAC (Grant/Contract/Cooperative Agreement Information/Chartered Advisory Committee Information),” HHS/NIH/OER and HHS/NIH/CMO. Included in the system design is the definition of users, roles assigned to users, and system privileges that are linked to user roles. Both the roles and privileges are flexibly defined within ARWS to allow for specification of privileges required to perform specific system functions or view specific data items appropriate for each role. The system permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Access to the ARWS system user's records is restricted to authorized users behind the NIH firewall. Risk of unauthorized access is, therefore, considered low. The ARWS system is maintained in strict compliance with the Privacy Act of 1974.

Authorized user access to information is limited to authorized personnel for performance of their duties. Authorized personnel include system managers and their staff, computer personnel, and NIH contractors and subcontractors. Physical safeguards are in place at CSR. Procedural and Technical Safeguards: A password is required to access the terminal and data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. Files with data on a local area network are accessed

by keyword known only to authorized personnel.

Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave organization. New employees and contractors have obligatory training and NIH/CSR security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. The list is revised at NIH and requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information processed in the system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply.

All data transmitted between the server currently resides in CIT's facility behind the firewall and workstations at CSR are encrypted.

The NIH ISSO and Incident Response Team (IRT) (along with the Security Team Network Operations Team, Web Development Teams, and Administrator Teams) help assure the security of NIH systems, data, and information while maintaining connectivity and interoperability throughout NIH. The IRT responds to computer security incidents, characterizes the nature and severity of incidents, and when appropriate, provides immediate diagnostic and corrective actions. Audit logs are reviewed by appropriate staff.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department's Automated Information System Security Handbook.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Committee Management Application

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Committee Management Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The Committee Management Application is a sub-application of the existing employee database (NIH Enterprise Directory via the CSR Intranet) which stores employee committee involvement data. The system also has a reporting capability for management and committee members.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Committee Management Application allows senior management access to query and report functions. Other access will be granted on a need-to-know basis as determined by senior management. Application administrators will have access to add, edit, and delete all committees and memberships. Employees will have read-only access to their current list of committee memberships through a link in the employee information update screen located on the CSR Intranet. This application is only accessible to NIH employees and NIH/CIT employees as needed since the application resides on a CIT server.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) N/A - no major changes anticipated. (2) On the CSR Intranet (the parent system to this application) a message is displayed to the employees explaining the purpose and protections in place to safeguard information. (3) Users have read-only access to view committee memberships; administrators have add, edit, and delete capability for all committee memberships; developers/contractors have access to maintain and operate the application.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative Controls: role-based access; appropriate system security plan, contingency plan, file back-up, training of users, and retention and destruction policies are in place.

Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR systems.

Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 14, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Grant Redundant Application Search Program (GRASP)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Grant Redundant Application Search Program (GRASP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The proposed system should have the following operational requirements:

- Compare new grant application submissions to a database of previous applicatioin submissions (and potentially other sources).

(1) use of original material from others

(2) submission of multiple applications

(3) renamed applications

(4) already completed work

- Displays output summarizing findings

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable

.) Only text will be uploaded to GRASP system; that text will be readily parseable, and not image format requiring optical character recognition.

(2) CSR shall use the information provided in order to minimize the resources and time used in identifying inequality amongst grant applicants. These inequalities include the duplicative and overlapping use of original material from others, the submission of multiple applications, renamed applications, and requesting funding for already completed work.

(3) Yes, this system does contain PII.

(4) Voluntary. The PII information is collected from the existing IMPACII system where applicants submit grant applications for review.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) As GRASP will utilize historical data from IMPACII , no processes are in place to obtain consent from individuals whom submitted applications. IMPAC II Systems of Record Notice is in place.

The GRASP system shall collect historical application data to be part of the comparison effort and transferred to the data warehouse (dbGRASP) in the GRASP system. This data will be parsed, formatted and indexed for use by the GRASP system. The source for all comparison work will be historical information from IMPAC II. Periodically, a data extract representing new entries to IMPAC will be created and transferred to the GRASP data warehouse.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR systems.

Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Website

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-3

7. System Name (Align with system Item name): CSR Internet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bhattacharyya, Dipak

10. Provide an overview of the system: Provide resources for applicants, news and reports, information about CSR and peer review meetings to the general public. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): General public, applicants and reviewers can get access to CSR staff directory and study sections rosters. CSR Internet application has been created for the purpose of providing information to NIH and scientific community on the world wide web.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Data in staff directory and rosters do not change without users' consent, and approval. Users submit their information for posting to CSR web developers mostly in electronic form.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Covered by CSR Security Plan

Authorized by Section 301 of the PHS Act.

CSR Web site is designed as a public service to provide information to general audience. Every page on CSR web site is accessible to general public including people with disabilities.

Technical controls are provided by NIH. The application data are backed up daily.

CSR Web site is updated regularly.

hysical controls: Security guards, identification badges, and key cards are used to gain access to building 12, where the system is located.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Intranet Website

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0216

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-2

7. System Name (Align with system Item name): CSR Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: Provides information on all aspects of CSR work to CSR and NIH staff. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Provides information on all aspects of CSR work to CSR and NIH staff. The system provides contact information to CSR supervisors for crisis notification. SORN #09-25-0106 CSR staff directory contains working addresses for all CSR employees.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A message is displayed to the employees explaining the purpose and protections in place to safeguard information. There is no consent process since this information is mandatory and critical to continue the CSR mission in case of emergency.

Also, CSR users make changes to their personal information by themselves thus eliminating errors and misrepresentation of their personal information such as phone and email address in CSR staff directory.

NIH maintains NED directory with CSR users PII information.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Photos of staff are limited to the NIHnet users. IIF in the form of home phone numbers will be restricted to a SSL enabled website and require user authentication with NIH login and password.

Administrative

To log on the Intranet requires an active directory account, which is created and maintained by the central NIH account authority. The initial employee record is entered by the supervisor as part of a desktop support request. Once the employee is settled, he/she enters additional emergency contact information, i.e. home address, cell phone or home phone number. This information is mandatory in case of emergency, so that CSR can contact employees. Prior to the employee departure/separation date, the employee is required to complete form on CSR Intranet and return NIH badge and CSR property items. The automated record is removed from the system in 30 calendar days after the departure date. All database backups no longer have the information about former employee after 60 calendar days.

Technical

The employee entry form is located on the CSR Intranet. The server where CSR database resides is hosted and maintained by the CIT hosting branch. It is physically located in Building 12. The building has the technical infrastructure to ensure protection of the server from physical and online attacks via ADP room access controls and WAN and LAN intrusion protection. The software program allows the following access to employee records:

Role: Director, CSR, Emergency Coordinator, Division Directors (6) - Records Access: All

Role: Branch and IRG Chiefs - Records Access: Employees Supervisor

Role: All Employees - Records Access: Supervisor

This access is maintained through NIH active directory. The system administrator's password is changed every year. Due to operational necessities, an exception to policy was granted for a year long password. The CIT hosting branch provides the operating and database systems patch in accordance with policy set by CERT and the manufacturer.

Physical

Building 12 has access controls procedures in place to prevent unauthorized access to CSR Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or access servers. All supervisors have the ability to save and/or print a hardcopy of the employee directory. The supervisor is required to keep this information in a locked file cabinet at all times. In addition, the list is stored on the local drive of the supervisor. All hard drives are encrypted.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Member Application Notifcation (MAN)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Member Application Notification (MAN)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The MAN system provides daily notifications of initial application assignment to a given Integrated Review Group (IRG) Chief (or their designee) if at least one application has received its initial review assignment to their IRG (or directly to a SRG or SEP within their IRG) or their SRC99 (in the case of ICs) and meets the specified business rules.

- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by only appointed chartered study section members (not temporary or ad hoc) to as recorded in IMPAC II.

- Exclude applications for which appointed members have a role other than PD/PI, including appointed members serving as sponsors for fellowship applications or mentros for career award applications.

- Applications with multiple PI/PDs should be identified if one or more are eligible based on their status as a study section member (It's not necessary for all of the PI/PD's of a given application to be members)

- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS per CSR R&R guidance

- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their designees) and each of the ICs (Review Chief and their designees)

- The application accession number, appid, application title, application assignment information, and the list of PI/PDs should be included in the notification to the IRGs or ICs.

- Application title in the IRG Chief's report

- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and capture designation in the database

- Allow IRG Chiefs to look at applications from all other IRGs received within the last two months and indicate which they can review by entering status into database.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The MAN system provides daily notifications of initial application assignment to a given Integrated Review Group (IRG) Chief (or their designee) if at least one application has received its initial review assignment to their IRG (or directly to a SRG or SEP within their IRG) or their SRC99 (in the case of ICs) and meets the specified business rules.

- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by only appointed chartered study section members (not temporary or ad hoc) to as recorded in IMPAC II.

- Exclude applications for which appointed members have a role other than PD/PI, including appointed members serving as sponsors for fellowship applications or mentros for career award applications.

- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS per CSR R&R guidance

- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their designees) and each of the ICs (Review Chief and their designees)

- The application accession number, appid, application title, application assignment information, and the list of PI/PDs should be included in the notification to the IRGs or ICs.

- Application title in the IRG Chief's report

- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and capture designation in the database

- Allow IRG Chiefs to look at applications from all other IRGs received within the last two months and indicate which they can review by entering status into database.

a. IC

b. MEMBER IRG

c. CMTE

d. MEM PI NAME

e. MEMBER START DATE

f. MEMBER END DATE

g. GRANT NUM

h. ACCESSION NUM

i. APPL CLUSTER IRG

j. STUDY SECTION FULL

k. RFA PA NUMBER

l. COUNCIL DATE

m. APPLICATION RECEIVED DATE

IMPAC II is the source of all application data.

(2) The MAN System ensures that Integrated Review Groups (IRGs) Chiefs and IC Review Chiefs/contacts are aware of the assignment of applications submitted by chartered members of the standing study sections to Integrated Review Groups (IRGs) and Study Sections.

(3) Yes

(4) Voluntary. All information is provided via the IMAC II system.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR systems.

Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR National Registry of Volunteer Reviewers

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): CSR National Registry of Volunteer Reviewers

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nair Prema, Diane Stassi, Weijia Ni

10. Provide an overview of the system: The CSR National Registry of Volunteer Reviewers is an Access-based database that contains information provided by volunteer scientists who are interested in serving on CSR grant review panels. Information provided includes: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, Referring Society, QVR Person ID, NIH review and grant history, Geographical Region, Date Registered, SRO Contact Records (check boxes for “Contacted” and “Served” as well as date and SRO name), and an SRO Reviewer Evaluation field (check boxes 1-5 – for scientific expertise and review performance). The database is available to everyone in CSR who has access to the CSR share drive. The database is searchable by Keyword, IRG, and Region.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed to anyone in CSR with access to the Share Drive, including, Scientific Review Officers, IRG Chiefs, Division Directors, personnel in the Director’s Office. The information will be used to 1) identify highly qualified reviewers who are willing to serve on study sections and 2) report back to the referring societies on how many of their recommended reviewers have served on panels.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected for the CSR National Registry of Volunteer Reviewers contains IIF. The following information is voluntarily provided by scientists who are interested in serving on CSR grant review panels: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, and Referring Society. In addition to this information, the developers of the database add the volunteer’s QVR Person ID and NIH Review history (if they are in the system), Geographical Region, Date Registered, and Reviewer Evaluation (check boxes 1-5 – for scientific expertise and review performance). Individuals using the database (primarily Scientific Review Officers) may add Contact Records (check boxes for “Contacted” and “Served”, date and SRO name) as well as reviewer evaluation. The information will be used to identify highly qualified reviewers to serve on study section panels and to provide feedback to societies on whether their members are serving on panels.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No major changes are expected to occur to the database. If any changes are made, we will notify all individuals via email. We will be collecting the following IIF: Name, Mailing Address, Phone Numbers, Device Identifiers, Web Uniform Resource Locator(s) (URL), Email Address, and QVR Identifier. Individuals will be notified via email describing the IIF obtained and that we will use this information to identify highly qualified reviewers who are willing to serve on study sections. This information is stored in a database that is available to CSR employees, and specifically created for Scientific Review Officer use. The email notification will also give the individual the option of rescinding their information, at which point the system developers will destroy (permanently delete) the IIF provided.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls. To run the database, SROs download it to their C-Drives from Share drive. Access to the CSR Share drive is limited. Personnel with access to the database have been trained and are aware of their responsibilities for protecting IIF.

Physical controls. Rockledge 2 is secured by guards, employee identification badges and keycards.

Technical controls: All CSR laptop computers are encrypted. User identification, passwords, firewall, VPN are currently in place. Security patches for servers and laptops are always kept current.

The NIH incident response team will notify the CSR ISSO of any security incidents detected. Users will notify the CSR ISSO and NIH Helpdesk of any security incidents.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Performance Management Appraisal Program (PMAP)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? Yes

If this is an existing PIA, please provide a reason for revision: -

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): Performance Management Appraisal Program (PMAP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The PMAP review system is intended to provide an automated process for specific members of Office of the Director (OD) and Managers to review the written performance summaries of two categories of CSR staff. This new process streamlines the existing manual process and provides for more effective time management and evaluation techniques. The scope of the PMAP review system is to automate the existing process for performance reviews for ease of use. This goal will be achieved through the following product features:

• PMAPs grouped by Division, IRG and/or Branch – in a table-like structure

• Display the names of all CSR staff within selected group/IRG/branch

• Ability to individually select performance summary, out of staff listing

• Allow display of performance summary and assigned score, for the PMAP being reviewed

• Ability to change the assigned score, if desired

• Ability to update changes to the PMAP and create a permanent record

• Store the performance summaries

• Display the current number out of total for specified group (3 out of 10)

• Ability to move to next performance summary within same group

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) No major changes anticipated. (2) The PMAP process is a required HHS process of which employees are notified when they are hired. (3) Information will be used by supervisors and the administrators to rate the performance of employees.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative

To log on the Intranet requires an active directory account, which is created and maintained by the central NIH account authority. This system is hosted by the CSR intranet and will have role-based access for supervisors, administrators and the technical team.

Technical

This access is maintained through NIH active directory. The system administrator's password is changed 60 days. The CIT hosting branch provides the operating and database systems patch in accordance with policy set by CERT.

Physical

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR SOFie ( Status of Funds)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nair Prema, Kevin Laser

10. Provide an overview of the system: The SOFie application supports the efforts of several offices and branches within the IC, allowing budget offices to track expenditures in appropriate funds in a fiscal year. The program contains a tracking mechanism to track prior year funds as well. The application downloads this information from the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is not a source database for other information systems.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized user access to information is limited to authorized personnel for performance of their duties. Authorized personnel include NIH employees, system managers and computer personnel. Physical safeguards are in place at CSR. and the contractor facilities. Access codes are deleted when employees leave CSR. New employees have obligatory training and NIH/CSR security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. The list is revised at NIH and requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information processed in the system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply.

All data transmitted between the server (currently at contractor location) and workstations at CSR are encrypted.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH CSR SREA Financial Tracking System

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 22, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: -

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): CSR SREA Financial Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Harris, Dipak Bhattacharyya, and Prema Nair

10. Provide an overview of the system: The SREA Office’s main functions is to support the CSR Peer Review by the 1) procurement of hotel meeting rooms, sleeping rooms, reviewer airfare, AV and 2) Payment to Non-Federal Reviewers who provide expertise in reviewing grants applications.

We expect that by having a SREA Financial Tracking system we will be better equipped to serve NIH/CSR as a whole. Specifically, it is proposed a web-based system will enable SREA to better monitor and track Peer Review expenditures in an electronic format which can be queried to do historical data analyses on a regular basis. We will also be able to allow secured access to SREA Data at multiple levels: administrative, user, and read-only. In addition, we will be in compliance with the NIH COOP and NIH Vital Records initiatives by electronically housing procurement documents attached to a corresponding ticket.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We do not anticipate any major changes to the system. In the event of a major change involving PII, a process will be put in place. Individuals are notified via email regarding the PII in the system and how it is used.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: -

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): -

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access controls are in place for servers along with FDCC guidelines.

NIST and FISMA rules and regulations are applied to servers.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Kerry Murphy, CSR Privacy Coordinator

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 14, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH FIC CareerTrac

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 31, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-1903-00

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156

5. OMB Information Collection Approval Number: 0925-0568

6. Other Identifying Number(s): N/A

7. System Name (Align with system Item name): CareerTrac

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Kupfer

10. Provide an overview of the system: CareerTrac is a global trainee tracking and evaluation system for the Fogarty International Center (FIC), National Institutes of Health. The goal of this system is to create a complete trainee roster for all FIC research training programs and to monitor outputs, outcomes and impacts of FIC international trainees.

13. Indicate if the system is new or an existing one being modified: New

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): FIC takes every reasonable precaution to protect information. CareerTrac system is securely hosted under NIH firewall and the password is encrypted. FIC maintains appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of trainee’s personal information. Unless legally mandated, FIC will not disclose any of the following information: employment history, phone, fax, year of birth, biographical data, gender (except in aggregate), minority status (except in aggregate), current training status, return home (except in aggregate), and career accomplishments (only in aggregate – except where in the public domain).

FIC understands the delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. Access to CareerTrac data will be granted only to those organizations/individuals, which must, in the course of exercising their responsibilities, use the specific information. The requests for access to CareerTrac data will be carefully reviewed and the following information may be disclosed for routine uses: trainee’s name, area of training, country of origin, work email, degrees earned through FIC funded programs, accomplishments that are public products, and career highlights of the trainee information. The audience for this information may include, but not restricted to:

The FIC, NIH, HHS and Congress for reporting and evaluation purposes;

The Principal Investigator (PI) and Collaborators for the purpose of monitoring the program, submitting progress reports and grant applications and writing journal articles describing the programs;

FIC co-funding partners and Co-sponsors of FIC programs for the purpose of reporting progress and conducting evaluations of the programs

Interested public, for example, for the purpose of convening a scientific meeting in a particular country to which former trainees will be invited

The purpose of the system is to enable effectiveness evaluations of health research training programs, funded by NIH/FIC, for international trainees.

The information may be used by or disclosure may be made to (1) the FIC, NIH, HHS and Congress for reporting and evaluation purposes; (2) the academic community (including PIs and Collaborators) for the purpose of monitoring the program submitting progress reports and grant applications and writing journal articles describing the programs; (3) FIC co-funding partners and co-sponsors of FIC programs for the purpose of reporting progress and conducting evaluations of the programs; (4) interested public, for example for the purpose of convening a scientific meeting in a particular country to which former trainees will be invited.

The personal information is submitted on a voluntary basis.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We will provide the trainees with a written document that will notify the trainees about the purpose of data and how it will be used and shared. The trainees will have to read Privacy Act Disclosure and sign 'Certificate and Acceptance' form (which is part of the document) before PIs can enter their personal information into the system.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: A variety of safeguards are implemented in order to protect the information collected through CareerTrac system. Regular access to information in CareerTrac is limited to PHS or to contractor employees who are conducting, reviewing or contributing to the system. Other access is granted only on a case-by-case basis, consistent with the restrictions, as authorized by the system manager or designated responsible official.

Administrative Control: CareerTrac has a system security plan and backup plan. The files are backedup regularly and they are stored in secure offsite locations.

Technical Control: CareerTrac system is securely hosted under NIH firewall and the password is encrypted and changed routinely. PIs can only view the trainees from their grant. FIC maintains appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of trainee's information.

Physical access controls are in place for CareerTrac. Records are stored in closed or locked containers, in areas which are not accessible to unauthorized users, and in facilities which are locked when not in use. Sensitive records are not left exposed to unauthorized persons at any time. The following are some of the physical controls in place to safeguard system and data collected: closed circuit TV, identification badges and guards.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Marcia Smith

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Applications Database

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 18, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-003

7. System Name (Align with system Item name): Application Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The system holds grant application information that is retrieved from the IMPAC II database with additional tracking information added for the purpose of application grant approval. The system tracks grant applications under authority 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): For internal purposes only; it will not be shared. SOR #09-25-0036

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. NCCAM does not have a notification process in place as the applications database does not collect the initial IIF. It is only a recipient of IIF collected by another database that is maintained at the NIH level thus we do not have our own notification process to obtain IIF from individuals. This system does not have any notification procedures in place in addition to those in place for the IMPACII system.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is physically secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, a restricted folder location, and a requirement of a password when accessing the database. Information is also secured by least privilege, separation of duties, an intrusion detection system, firewalls, locks and background investigations. A comprehensive IRT is also maintained.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Robin Klevins (301) 451-6574

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Employee Database, Internet Edition (EDie)

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 17, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-014

7. System Name (Align with system Item name): NIH NCCAM Employee Database, Internet Edition (EDie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lori Thompson

10. Provide an overview of the system: EDie is a web-based application that allows institutes to accurately maintain individual employee, contractor, and volunteer information, as well as plan for, monitor, and report on workforce staffing levels.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal senior administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018.

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is collected from documents provided by employees (CV, resumes, etc) at the time of appointment. It is provided in personnel packages submitted through channels in order to affect a hire. This information is put into Capital HR and Fellowship Payment System (FPS) and subsequently downloaded into EDie. Individuals are notified of the collection and use of data as a part of the hiring process. Changes to the system, or use of the information, is relayed to employees via official notices from HR and the system owner.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited on need to know basis. Each user signs a security statement and received a password. Any violations results in loss of access to system. Information is also secured by separation of duties, and intrusion detection system, firewalls, locks and background investigations. A comprehensive IRT capability is also maintained.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Robin Klevins (301) 451-6574

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Grantee Bibliographic Database

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 18, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM -007

7. System Name (Align with system Item name): NCCAM Grantee Bibliographic Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The database was developed for internal use to collect information about research articles that have resulted from the work funded by NCCAM grants.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is used only by NCCAM staff for internal purposes to assess the scientific results of funded research projects. SOR#09-25-0036

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. Consent is given by the investigator when she/he submits the application or progress report. NCCAM does not have a notification process in place as the grantee bibliographic database does not collect the initial IIF because it is only a recipient of IIF collected by another database that is maintained at the NIH level. This system does not have any notification procedures in place in addition to those in place for the IMPACII system.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: SOR: 09-25-0036

Information is secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, and a requirement of a password when accessing the database. Information is also secured through least privilege, separation of duties, an intrusion detection system, firewalls, locks, and background investigations. A comprehensive IRT capability is also maintained.

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Robin Klevins (301) 451-6574

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: Yes

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Internet Website

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 17, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: OMB # 0925-0486-2501-05

6. Other Identifying Number(s): NCCAM-001

7. System Name (Align with system Item name): NCCAM Internet Web Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu

10. Provide an overview of the system: The NCCAM Web site (www.nccam.nih.gov) is used to disseminate scientifically accurate information about complementary and alternative medicine to the public and to health officials via the World Wide Web.

13. Indicate if the system is new or an existing one being modified: Existing

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-25-0106

(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Approval

PIA Reviewer Approval: Promote

PIA Reviewer Name: Robin Klevins (301) 451-6574

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 11, 2009

Approved for Web Publishing: -

Date Published: September 1, 2009

_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Intranet Website

PIA SUMMARY AND APPROVAL COMBINED

PIA Summary

Is this a new PIA? No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 17, 2009

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-002

7. System Name (Align with system Item name): NCCAM Intranet Web Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu

10. Provide an overview of the system: The NCCAM Intranet Web site (www.nccamintranet.nih.gov) is used to disseminate relevant information and useful dynamic applications to employees of the National Center for Complementary and Alternative Medicine (NCCAM). The key legislation authorizing this Web site is 42 USC 287c-21.