Primavera ProSight Form Report

Font Size Print Download Reader HHS Home|HHS News|About HHS

06.3 HHS PIA Summary for Posting (Form) / NIH CC Activity Based Cost System (ABC) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3099-00

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: NIH CC Activity Based Costing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dan Rinehuls

10. Provide an overview of the system: The ABC System contains information about resource allocation across research protocols conducted in the Intramural Resesarch Program of the NIH, including specific protocol identification data, as well as other information related to medical care, supplies and services related to those protocols.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH employees for budget review and development.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Employees provide names at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval. If any information other than employee names are collected, then notification will be sent out from OFRM to each indiviudal. However, there are no current plans to collect additional IIF in the future.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ABC System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: This system not previously reported as full PIA because only IIF are employees' names.

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel Voucher Application (ATV) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 7, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): None

7. System Name: Admissions and Travel Voucher (ATV) Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry P. King

10. Provide an overview of the system: This is an ancillary application part of the CRIS system that allows research participants to register and procure travel requistions and payments.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shares information with travel agents so that travel arrangements can be made. Sharing is done per SOR 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority is the Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.) The information collected is name, date of birth, social security number, mailing address, medical record number, and e-mail address. This information is used to register individuals as participitants in clinical trials and to assist in providing travel arrangements for those individuals. Information is disclosed to travel agents to assist in making the necessary travel arangements. Information submission is voluntary.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is secured using username/passwords, secure sockets, least privilege, seperation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained,

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff Office Schedule (ANSOS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3008-00

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: CC ANSOS: Automated Nurse Staff Office Schedule

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Quinn

10. Provide an overview of the system: The ANSOS System is used to arrange schedules and project staffing needs for nurses caring for patients at the Clinical Center and is authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): As per SOR 09-90-0019. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each individual is informed of information practices at the time of job application and subsequently when individual schedules are developed. In addition, the CC Nursing Department is responsible for notifying each nurse of major system changes related to IIF, which may be done electronically or in written form.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ANSOS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Collection System (BBCS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3007-00

4. Privacy Act System of Records (SOR) Number: 09-25-0011

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Blood Bank Collection System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Boyd Conley

10. Provide an overview of the system: The systems contains data regarding donors at the Department of Transfusion Medicine used to conduct clinical care and research at the Clinical Center as authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Information System (CRIS Core) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number:009-25-01-06-01-3006-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): CC-1

7. System Name: Clinical Research Information System (CRIS) Core

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Jon McKeeby

10. Provide an overview of the system: Core system and component applications to document clinical care and research for registered patients at the Clinical Research Center: NIH. This activity is authorized by Section 301 of the Public Health and Safety Act

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory Medicine at the CC.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is obtained from patient interviews, referring physicians, a multi-disciplinary care team, and diagnostic, therapeutic, and research results. Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient a the time of initial admission. Each patient would be advised at the time of admission about major system changes and the CC Information Practices notice would be revised and provided to each patient.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, and physical security and privacy controls. System is behind locked doors, monitored by CC TV and cipher locks. In addition, only authorized users have access which is restricted based on user roles and hierarchal passwords.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Volunteer Program (CRVP) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: 09-25-0012

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Clinical Research: Candidate Potential Volunteer and Research Subject Records

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: System is used to contain information about potential candidates for participation as volunteers or research subjects participating in clinical research protocols at the Clinical Center.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each person is verbally informed of information uses and verabl consent is obtained from each person who wishes to be evaluated as a potential research subject. Each indiviudal is informed of information collection and uses prior to acceptance as a volunteer or patient. Each applicant would be notified directly by phone of any major system changes and new consent would be obtained.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the collection, maintenance and destruction of computer files, as well as as specified in the PA Systems Notice.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954: JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Data Center (CCDC) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3007-00-110-031

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: Clinical Center Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: The CC Data Center (CCDC) supports approximately 4,500 users within the NIH Clinical Center, and is located at the Institute’s headquarters on the NIH campus in Bethesda Maryland.

The CCDC comprises a variety of servers including network servers, application servers, and Web and Internet servers. CCDC has been identified as a Data Center.

While many applications reside within the servers in the CCDC, the CCDC itself does not processes or store any data that could be considered IIF.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745 jfranco@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Executive Information System (EIS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

System Name: CC Executive Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: The Executive Information System (EIS) is an application designed to provide real time reporting of key hospital performance indicators. The EIS provides query and reporting capabilities for executive decision makers, and allows staff to view daily, monthly, annual patient census information and key hospital performance metrics. Census data can be reported by hospital unit and protocol, IC, branch, and Princial Investigator.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NO

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745 jfranco@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Lawson (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Lawson

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: Lawson is an Inventory Management System. Everything that is bought, received, stored, transferred, issued, or disposed of is recorded and controlled. The program is a live inventory instantaneously recording any supply activity that is entered in the system. It makes daily recommendations for both replenishing the Central Hospital Supply shelves from the Storage & Distribution Warehouse; as well as provide reorder for supplies that have fallen below their "par levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the best "picture" and information on medical supplies. Finally, in the absence of a true financial link to inventory.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This is an inventory management system - no IIF is collected or maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745 jfranco@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff Credentialing Processes (SACRED) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number: 09-25-0169

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Medical Staff Credentials Files

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: Information is collected from individual members of the Clinical Center Medical Staff and is used to document their credentialing and privileging under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Private medical facilities, state medical boards and accrediting bodies as part of the credentialing process.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is obtained directly from each applicant and each is informed about information collection procedures and rules when each applicant signs the consent authorizing the collection. Major systems changes would be sent electronically to each member of the medical staff and new consents obtained at the time of reappointment to the staff.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the maintenance, archiving and destruction of computer files and as published in the PA SOR.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954, JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request Tracking System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Medicolegal Request Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: The Medicolegal Request Tracking System is used to receive requests for and track copies of medical record documentation sent out by the Medical Record Department to Clinical Center patients and the third parties they authorize to receive such information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each individual patient is informed of CC information practices before they are accepted as patients. In addition, each patient must provide a written release before information if sent out for any other purpose. The Medical Record Department would be responsible for revising release request authorization and information practices forms if any major system changes take place.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is maintained under controlled physical access and user identification as well as passwords are in effect for all users.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954, JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Protocol Tracking (PROTRACK) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 19, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number: Systems Notice Submitted for Approval

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Jerry King

10. Provide an overview of the system: The Protocol Tracking System is used to collect, maintain and report administrative data about intramural research protocols under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Employees for protocol approval, control and reporting.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Employees provide names at the time as a part of the protocol approval process and the names of Government employees are a matter of public record. There are no plans to add additional IIF information at the current time, but the Protocol Service Center would provide notification to each investigator if additions were made in the future.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the Protocol Tracking System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: New SORN filed and pending approval.

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954, JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Softmed Automated Medical Record Processing and Tracking Applications (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Softmed Automated Medical Record Processing and Tracking Applications

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: SoftMed applications contain demographic and tracking information is maintained on registered Clinical Center patients in order to route documents for creation, recording, retention, signature and location.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information is collected to identify and route clinical documentation electronically for user review and confirmation. Patient and clinician demographic information, along with clinical documentation identifiers and location information. The information is voluntarily provided at the time of dictation or authorship and each patient is informed of CC information practices before admission as a patient at the Clinical Center.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The Softmed applications are a part of the medical record system which is an approved Privacy Act System. As such, each indiviudal is informed of all information practices and any major system changes are published under a revised SOR.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All information is protected by applying user ID, hierarchal passwords and administrative controls including supervisor limiting employee access on a need-to-know and minimum amount basis.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954, JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CC Workforce Tracking (WTMS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Workforce Tracking Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathy Krisko

10. Provide an overview of the system:

Maintain financial information including salary, benefits, etc on Clinical Center Employees and contractors.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR# 09-90-0024. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0024, published in the Federal Register, Volume 70, No. 126, July 1, 2005.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized persons may have access to the WTMS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954, JKing@nih.gov

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Asynchronous Electronic Discussion (AED) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 14, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3222-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Asynchronous Electronic Discussion

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: A strategic objective of the Center for Scientific Review is to increase the methods of review. This new method, based upon the use of a threaded message board with features tailored to NIH review, permits the asynchronous discussion and private scoring of grant applications without the need for concurrent assembly or teleconference. As an alternative review format, it complements and extends the ways that CSR conducts peer-review at NIH.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosure may be madet o the National Technical Information Service (NTIS), Department of Commerce, for dissemination of scientific and fiscal information on funded awards.

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts not within the defiinition of Department employees as prescribed in Department regulations of opinions as a part of the application review process.

Disclosure may be made to a Federal agency, in response to its request, in connection with the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision in the matter.

Disclosure of past performance information pertaining to contractors may be made to a Federal agency upon request. In addition, routine access to past performance information on contractors will be provided to Federal agencies that subscribe to the NIH Contractor Performance System.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to a grantee or contract institution in connection with performance or administration under the conditions of the particular award or contract.

Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to proceeding or has any interest in the proceeding, and HHS determines that the records are relevant and necessary to the proceeding and would help in the effective representation of the governmental party.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information types: User contact information - This information is used to create external active directory accounts so that permissions can be granted to reviewers to access grant application and discussion thread information that they are not in conflict with. Grant related information - This information is used during the discussion of grant applications in an online collaborative space in lieu of a physcial meeting. The review discussion group scores applications on a scientific merit basis.

The submission is mandatory and does contain IIF information

Applicants use specific paper PHS 398 and electronic forms SF424 and PHS416 with instructions about the information to provide and information about how it will be used. The information is entered into the NIH IMPACII system. There are no specific consenting processes beyond this.

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual ecept for the applicants themselves and except as permitted by the Privacy Act.

AED does not change any information and does not have any consent procedures for this. There may be minor changes in IMPACII of information such as to grant application identifiers. This is done without out consent but the applicants are informed of the changes via the NIH Commons where applicants access their private information with personal passwords. Significant changes to IMPACII grant application information is achieved by voluntary resubmission of grant application forms by applicants and there are no consent procedures in place for CSR staff. Applicants are informed of major changes in internal use of their data via publication in the NIH Guide.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical controls: User ID and passwords have to be used for network authentication. SSL is used to secure the data AED uses from IMPAC II.

Administrative controls: AED training is available for the users. The AED system is backed up on a regular basis.

Physical controls: Security guards, identification badges, and key cards are used to gain access to building 12, where the system is located.

The password strength required is centrally controlled.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Richard Panniers, TSB, Branch Chief

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Automated Referral Workflow System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Feb 21, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3223-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): HHS/NIH/CSR/ARWS

7. System Name: NIH/CSR ARWS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The National Institutes of Health (NIH), Center for Scientific Review (CSR) is responsible for managing the receipt, referral and review of grant applications submitted to NIH. The grant applications

referral process today is a manual, time-consuming process that affects the overall elapsed time from initial receipt of an application until the time at which a peer review of the application can be completed.

CSR’s mission is to receive, refer and review NIH’s rapidly increasing flow of grant applications, now reaching several thousand applications per year. A stated goal of CSR is to speed up the grant application review process by reducing the amount of time from receipt to referral. CSR believes that automation of the referral workflow is clearly necessary to achieve CSR’s goals and is responsive to NIH, HHS, and the President Management Agenda (PMA) strategic goals and objectives.

The envisioned CSR Automated Referral Workflow System (ARWS) plans to achieve CSR’s strategic goals and objectives by (1) shortening the review process and (2) increasing the transparency, accountability, and uniformity of NIH peer review.

The primary goal of the Automated Referral Workflow System (ARWS) project is to reduce the amount of time required for referral of grant applications by CSR through the development and use of software tools to automate and assist with the assignment of grant applications to the Integrated Review Groups (IRGs) and Scientific Review Groups (SRGs). Secondary goals include providing Institutes/Centers (ICs), IRGs and SRGs with more information about how referral assignments are made and information about possible alternative referral assignments.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed only to Scientific Review Administrators who are federal staff at NIH and to the contractor, Discovery Logic, who built and maintains the system.

Disclosure may be made to the National Technical Information Service (NTIS), Department of Commerce, for dissemination of scientific and fiscal information on funded awards (abstract of research projects and relevant administrative and financial data).

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) justifies the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining that information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.

Disclosure may be made to a grantee or contract institution in connection with performance or administration under the conditions of the particular award or contract.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Contains the email address of the user adding/updating the chief note. NIH IMPACII identifier for applicant Principal Investigator (PI). First, middle, last name and suffix of applicant. Title of the grant application; proprietary information until a grant award is made (which may never occur). Proprietary text excerpt from a grant application. Contains proprietary text consisting of excerpts from an applicant’s grant application cover letter. Identifying information for Scientific Review Administrators (SRAs) employed by NIH. Can be used to link an SRA back to NIH IMPAC II records. ARWS unique identifier of system user. NIH login name of ARWS user. First, middle, last name and suffix of ARWS user. Email address of ARWS user.

The grant application information is mandatory and is IIF.

Also contains a voluntary cover letter from grant applicants with name and work address. The cover letter is voluntary and may be IIF depending on voluntary content. The letter is only disclosed to their intended targets within the agency and to the contractor developing and maintaining the system.

Applicants use specific paper PHS 398 and electronic form SF424 with instructions about the data to provide and information about how it will be used. The information is entered into the NIH IMPACII system. There are no specific consenting processes beyond this.

The system does not change any information and does not have any consent procedures for this. There may be minor changes in IMPACII of information such as to grant application identifiers. This is done without out consent but the applicants are informed of the changes via the NIH Commons where applicants access their private information with personal passwords. Significant changes to IMPACII grant application information is achieved by voluntary resubmission of grant application forms by applicants and there are no consent procedures in place for CSR staff.

Applicants will be informed of major changes in internal use of PII data via publication in the NIH Guide.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: ARWS requirements for security must comply with the Privacy Act System of Records Number 09-25-0036 titled, “Extramural Awards and Chartered Advisory Committees: IMPAC (Grant/Contract/Cooperative Agreement Information/Chartered Advisory Committee Information),” HHS/NIH/OER and HHS/NIH/CMO. Included in the system design is the definition of users, roles assigned to users, and system privileges that are linked to user roles. Both the roles and privileges are flexibly defined within ARWS to allow for specification of privileges required to perform specific system functions or view specific data items appropriate for each role. The system permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Access to the ARWS system user's records is restricted to authorized users behind the contractor and NIH firewall. Risk of unauthorized access is, therefore, considered low. The ARWS system is maintained in strict compliance with the Privacy Act of 1974.

Authorized user access to information is limited to authorized personnel in the performance of their duties. Authorized personnel include system managers and their staffs, computer personnel, and NIH contractors and subcontractors. Physical safeguards are in place at CSR and the contractor facilities. Procedural and Technical Safeguards: A password is required to access the terminal and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. Data on local area network computer files is accessed by keyword known only to authorized personnel. Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave. New employees and contractors are briefed and the security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. This list is revised as NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information

processed in the system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply.

All data transmitted between the server (currently at contractor location) and workstations at CSR are encrypted.

It should also be noted that the ARWS system is hosted at this time as a part of the contractor facility on an interim basis as it is currently in the proof-of-concept stage and used in a limited manner – the system will be moved in the short term as a part of the NIH (CIT) infrastructure. The NIH ISSO and Incident Response Team (IRT) (along with the Security Team Network Operations Team, Web Development Teams, and Administrator Teams) help assure the security of NIH systems, data, and information while maintaining connectivity and interoperability throughout NIH. The IRT responds to computer security incidents, characterizes the nature and severity of incidents, and when appropriate, provides immediate diagnostic and corrective actions. Audit logs are reviewed by appropriate staff.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department's Automated Information System Security Handbook.

NOTE: The primary consequence of a breach of security in the form of data erasure or contamination would be a delay in the consideration of a citizen’s grant application.

Risks associated with disclosure of privileged information about grant applications and information about individuals contained in them include, but are not limited to:

Improper disclosure of intellectual property rights.

Compromise of personal employment information.

Compromise of personal education history.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: Richard Panniers, TSB, Branch Chief

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Website (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-3

7. System Name: CSR Internet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Provides information on CSR work to the general public. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Intranet Website (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-2

7. System Name: CSR Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Provides information on CSR work to CSR and NIH staff. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Provides information on CSR work to CSR and NIH staff. The system shares contact information with CSR supervisors for use in crisis notificiation. SOR #09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Provides information on CSR work (forms, publications, policies) to CSR and NIH staff. The system shares contact information (home phone #, email address, cell phone #) with CSR supervisors for use in crisis notificiation. The mandatory information will be cell phone, home address, home phone, and personal email address. Voluntary information will be out of area contact information, i.e.: contact name, address, phone, and email address.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: A message is displayed to the employee explaining the purpose and protections in place to safe guard information. There is not a consent process since this information is mandatory and critical to continue the CSR mission in case of emergency.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes Photos of staff are limited to NIHnet users. IIF in the form of home phone numbers will be restricted to a SSL enabled website and require user authentication.

Administrative

To access the Intranet entry form and/or an employee listing requires an active directory account that is created and maintained by the central NIH account authority. The intial employee record is entered by the supervisor as part of a desktop support request. Once the employee is situated, he/she enters additional emergency contact information, i.e. home address, cell phone number, and home phone number. The purpose of this information is required so the Center can contact them in case of emegrency. Prior to the employee departure/termination date, the employee is required to complete an online Intranet and physical departure process. The automated record is removed from the system 30 calendar days after the departure date. All database back ups no longer have the information after 60 calendar days.

Technical

The employee entry form is located on the CSR Intranet. This server is hosted and maintained by the CIT hosting branch. It physically is located in Building 12. The building has the technical infrastructure to ensure protection of the server from physical and online attacks via ADP room access controls and WAN and LAN intrusion protection. The software program allows the following access to employee records:

Role: Director, CSR, Emergency Coordinator, Director, Division Directors (6) - Records Accessed: All

Role: Branch and IRG Chiefs - Records Accessed: Supervised Employees

Role: All Employees - Records Accessed: Their Supervisor

This access is maintained through the use of active directory usernames and passwords. The system administrator password is changed every year. Due to operational necessities, an exception to policy was granted for a year long password. The CIT hosting branch maintains the operating and database system patch level in accordance with policy set by CERT and the manufacturer.

Physical

Building 12 has access controls procedures in place to prevent unauthorized access to CSR Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or access servers. All supervisors have the ability to save and/or print a hardcopy of the employee directory. The supervisor is required to keep this information in a locked file cabinet at all times. In addition, the list is stored on the local drive of the supervisor. All hard disks are encrypted using the xxxx software tool.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Mark Sense Score System (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-01-4613-00-205-080

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-6

7. System Name: Mark Sense Scoring System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Downloads from IMPAC II reviewer name, primary investigator name, organization, and title and prints these to Mark Sense scoring sheets. Reads scores from mark sense forms and loads scores into IMPACII. The scores are associated with application ID numbers. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a

Reads scores from mark sense forms and loads scores into IMPACII.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: User ID and Passwords.

PIA Reviewer Approval: Promote

Comments:

PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote

Comments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Time Allocation Project System (TAPS) (Item)

PIA SUMMARY AND APPROVAL COMBINED

1	PIA Summary

Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 14, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Time Allocation Project System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Blagaich

10. Provide an overview of the system: The system is used to document government and contractor labor hours spent on IT initiatives. This information will be used for managing and forecasting CSR’s IT budget. Additionally, project and cost variances are calculated using information collected from this system. Management reports are used on a weekly basis to communicate progress.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to ide