Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

National Institutes of Health Privacy Impact Assessments - Page 2

Back to Privacy Impact Assessments page

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Federal Travel Tracking Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CSR Federal Travel Tracking Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dipak Bhattacharyya
10. Provide an overview of the system:  The Federal Travel Tracking Database (FTTD) is an internal system to help the travel planner identity the individual that is reviewing or approving the travel, and manage and track documents returned to the travel planner for changes or to correct errors.  The system does not disseminate any information.  The system does contain infromation from the travel orders and vouchers, such as, names of federal employees.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The Federal Travel Tracking System is a CSR internal system used to track federal employees travel information.  The only fields included are: traveler name, traveler work email, travel request number, (federal employee), travel date, travel mode, travel booking mechanism, arrival location, city, state, and country, type of travel.   The system does not include date of birth of the federal employee. 

The system pulls information from an internal CSR employee database but does not disseminate information to any systems.  Only the name and email address are pulled from the internal CSR database.

Submission of the information are voluntary and for internal tracking of federal employees travel information only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  1.  The system does not gather any information from the public.  It is not publicly accessible and the information stored in the system is not disclosed to anyone outside of CSR.   Only the federal employee's name and email addresss are pulled from the internal CSR employee database.
2.  The system does not contain PII, only federal employees work information are stored in the database for the purpose of tracking and setting up their travel.
3.  The system does not contain PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  There is only Federal employee work information in the database for the purpose of tracking and setting up their travel.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Pla
Sign-off Date:  9/30/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Financial Operating System (FOS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0036 Extramural Awards and Chartered Advisory Committees (IMPAC 2), Contract Information (DCIS) and Cooperative Agreement Information, HHS/NIH
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH CSR Financial Operating System (FOS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dipak Bhattacharyya
10. Provide an overview of the system:  Due to the large volume of CSR peer review meetings, CSR decided to automate the process of transferring meeting rosters to WTS for the purpose of travel reservations.  In the past CSR staff use to fax the meeting rosters to World Travel Services (WTS) .  As reviewers called WTS to make there travel reservations WTS uses the roster to confirm that the individuals making their reservations using the CSR meeting codes are inclulded on each meeting roster.  Financial Operating System (FOS) is a government-to-government contractor application which enhances the timeliness, accuracy and completeness of labor and travel expense data by automating the transmission of data to-from IMPAC II and WTS (World Travel Services) system.  FOS is a conduit to transfer information between systems and is not accessed by users and information is not retrieved by PII.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  FOS is a conduit between IMPAC II and WTS (World Travel Services) purpose of FOS is not to display data, it is only to transmit data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.  FOS transmits the following data; Study Section Meeting Name, Meeting Date, Reviewer Name, Title and work address, Scientific Review Officer name, government phone, and government email, Meeting location.   This information is publicly available on the study section roster as available on the CSR website.
2. FOS transmits to WTS to confirm that individuals making reservations using the CSR meeting codes are included on each meeting roster.
3.  The only PII is reviewer's name.  This is not a Federal employee.
4.  Yes, when the reviewer agrees to be on a study section panel they provide their information voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Information is voluntarily provided by reviewers for input into the IMPAC II system.  IMPAC II is the system that FOS derives all information from.  Notification and consent is not applicable to FOS since FOS is a conduit with no user interface.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The PII is secured through Technical Controls: user IDs and passwords are used for network authentication.  SSL is used to secure downloaded data.  Physical controls: security guards, identification badges, and key cards are used to gain access to Building 12, where the system is located.  The required password strength for CSR and NIH users is implemented by NIH through logical access controls that provide protection from unauthorized access, alteration, loss, disclosure, and availability of information in accordance with HHS' Information Security Program.  Administrative Controls: limited direct access to FOS to IMB team.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac (301-435-0657)
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Grant Redundant Application Search Program (GRASP)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0036
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Grant Redundant Application Search Program (GRASP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dipak Bhattacharyya
10. Provide an overview of the system:  The system has the following operational functionality:
- Compare new grant application submissions to a database of previous applicatioin submissions (and potentially other sources).
(1) use of original material from others
(2) submission of multiple applications
(3) renamed applications
(4) already completed work
- Displays output summarizing findings
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The system discloses PII only internally and not with other systems or externally for the purpose of receipt and referral of applications.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) Data provided will be text parseable documents, specifically grant applications in one or more 'pdf' files and other files that communicate other grant application information as extracted from the IMPAC II system (eCommons name, PI name, etc). 
.)  Only text will be uploaded to GRASP system; that text will be readily parseable, and not image format requiring optical character recognition.

(2) CSR shall use the information provided in order to minimize the resources and time used in identifying inequality amongst grant applicants. These inequalities include the duplicative and overlapping use of original material from others, the submission of multiple applications, renamed applications, and requesting funding for already completed work. 

(3) Yes, this system does contain PII.

(4) Voluntary.   The PII information is collected from the existing IMPACII system where applicants submit grant applications for review.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  As GRASP will utilize historical data from IMPACII , no processes are in place to obtain consent from individuals whom submitted applications.  IMPAC II Systems of Record Notice is in place.

The GRASP system shall collect historical application data to be part of the comparison effort and transferred to the data warehouse (dbGRASP) in the GRASP system. This data will be parsed, formatted and indexed for use by the GRASP system.  The source for all comparison work will be historical information from IMPAC II.  Periodically, a data extract representing new entries to IMPAC will be created and transferred to the GRASP data warehouse.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative Controls: role-based access; appropriate system security plan, contingency plan, file back-up, training of users, and retention and destruction policies are in place.
Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR systems.
Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/14/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Assisted Meeting (IAM)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-05-02-3222-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0036
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Internet Assisted Meeting (IAM)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dipak Bhattacharyya
10. Provide an overview of the system:  A strategic objective of the Center for Scientific Review is to enrich methods for review of grant applications.  This new method, based upon the use of a threaded message board with features tailored to NIH review, permits the asynchronous discussion and private scoring of grant applications without the need for concurrent assembly or teleconference.  As an alternative review format, it complements and extends the ways that CSR conducts peer-review at NIH.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The system shares or discloses email address, name and IMPAC II identifiers (Commons ID name, and NIH login name) with reviewers, NIH program officers, and CSR SRO's for the purposes of peer review.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  Information type:  Grant related information is used during the discussion of grant applications in an online collaborative space in lieu of a physcial meeting.  The reviewers score applications on a scientific merit basis.

The submission is mandatory and does contain IIF (Information Identifiable Form which is name and email using SSL.).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  The system does not gather any information from the public and it is not a publicly accessible system. The system only uses downloaded data in read format from IMPAC II.

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual except for the applicants themselves and except as permitted by the Privacy Act.

IAM does not change any information and does not have any consent procedures for this. There might be minor changes in IMPACII of some information such as grant application identifiers.  Applicants can also access their personal information through NIH Commons with their personal passwords and logon names. Significant changes to grant application information that IAM downloads from IMPACII are achieved by voluntary resubmission of grant application by applicants and there are no consent procedures in place for CSR staff.  Applicants are informed of major changes in internal use of their data via publication in the NIH Guidelines published on the CSR Internet.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The PII is secured through Technical controls:  User ID and passwords have to be used for  network authentication.  SSL is used to secure downloaded data. Administrative controls:  IAM training is available for CSR users and reviewers.  Training materials are updated and IAM system is backed up on a regular basis.
Physical controls:  1 System located in 2 locations: Building 12: Security guards, identification badges, and key cards are used to gain access.  CSR Data Center Sterling: security guards, identification badges, key cards, cipher locks biometrics (fingerprint scan) and close circuit tv.
The required password strength for CSR and NIH users is implemented by NIH through logical access controls that provide protection from unauthorized access, alteration, loss, disclosure, and availability of information in accordance with HHS' Information Security Program. The required password strength for external users is enforced through account lockout controls with limiting number of consecutive failed log-on attempts; sign-on warning banner at IAM access point; automatically timed out session; deletion of external user information with automatic deletion of  whole IAM web site 2 hrs after the meeting is completed.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-27-02-3204-00-305-109
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-90-0018
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  CSR-3
7. System Name (Align with system Item name):  CSR Internet
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Bhattacharyya, Dipak
10. Provide an overview of the system:  Provide resources for applicants, news and reports, information about CSR and peer review meetings to the general public. Authorized by Section 301 of the PHS Act.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  General public, applicants and reviewers can get access to CSR staff directory and study sections rosters. CSR Internet application has been created for the purpose of providing information to NIH and scientific community on the world wide web.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1. CSR internet maintains and disseminates name and photographic identifiers.
2. To clearly identify the person within the organizational structure.
3. The only PII maintained within the system is the persons name and photgraphic identifiers.
4. The user does not submit information to CSR.

.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Data in staff directory and rosters do not change without users' consent, and approval. Users submit their information for posting to CSR web developers mostly in electronic form.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Covered by CSR Security Plan
Authorized by Section 301 of the PHS Act.
CSR Web site is designed as a public service to provide information to general audience. Every page on CSR web site is accessible to general public including people with disabilities.
Technical controls are provided by NIH. The application data are backed up daily.
CSR Web site is updated regularly.
hysical controls: Security guards, identification badges, and key cards are used to gain access to building 12, where the system is located.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  1/11/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR LAN [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A - GSS PIA included for C&A purposes only
5. OMB Information Collection Approval Number:  N/A -GSS PIA included for C&A purposes only
6. Other Identifying Number(s):  N/A -GSS PIA included for C&A purposes only
7. System Name (Align with system Item name):  NIH CSR Local Area Network (CSR LAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Prema Nair
10. Provide an overview of the system:  CSR LAN GSS is the front end parent reportable system that passes NIH common controls to CSR internet, CSR telework program, GRASP, eCD, NIH College of CSR Reviewers, and Real Time Meeting Status Tool.  In addition, it will also pass NIH common controls to CSR intranet parent reportable systems.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A - GSS PIA included for C&A purposes only
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  N/A - GSS PIA included for C&A purposes only
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - GSS PIA included for C&A purposes only
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A - GSS PIA included for C&A purposes only
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/19/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Member Application Notifcation (MAN)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  7/25/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0036
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Member Application Notification (MAN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Dipak Bhattacharyya
10. Provide an overview of the system:  The MAN system provides daily notifications of initial application assignment to a given Integrated Review Group (IRG) Chief (or their designee) if at least one application has received its initial review assignment to their IRG (or directly to a SRG or SEP within their IRG) or their SRC99 (in the case of ICs) and meets the specified business rules.
- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by only appointed chartered study section members (not temporary or ad hoc) to as recorded in IMPAC II.
- Exclude applications for which appointed members have a role other than PD/PI, including appointed members serving as sponsors for fellowship applications or mentros for career award applications.
- Applications with multiple PI/PDs should be identified if one or more are eligible based on their status as a study section member (It's not necessary for all of the PI/PD's of a given application to be members)
- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS per CSR R&R guidance
- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their designees) and each of the ICs (Review Chief and their designees)
- The application accession number, appid, application title, application assignment information, and the list of PI/PDs should be included in the notification to the IRGs or ICs.
- Application title in the IRG Chief's report
- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and capture designation in the database
- Allow IRG Chiefs to look at applications from all other IRGs received within the last two months and indicate which they can review by entering status into database.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  The MAN system provides daily notifications of initial application assignment to a given Integrated Review Group (IRG) Chief (or their designee) if at least one application has received its initial review assignment to their IRG (or directly to a SRG or SEP within their IRG) or their SRC99 (in the case of ICs) and meets the specified business rules.
- Identify only applications with mechanism types limited to R01, R21, and R34 submitted by only appointed chartered study section members (not temporary or ad hoc) to as recorded in IMPAC II.
- Exclude applications for which appointed members have a role other than PD/PI, including appointed members serving as sponsors for fellowship applications or mentros for career award applications.
- Applications with multiple PI/PDs should be identified if one or more are eligible based on their status as a study section member (It's not necessary for all of the PI/PD's of a given application to be members)
- Identify and include eligible funding opportunity announcements such as PA, PAR, and PAS per CSR R&R guidance
- Send notifications to individual Outlook group addresses for each of the IRGs (Chiefs and their designees) and each of the ICs (Review Chief and their designees)
- The application accession number, appid, application title, application assignment information, and the list of PI/PDs should be included in the notification to the IRGs or ICs.
- Application title in the IRG Chief's report
- Allow IRG Chiefs to indicate whether or not applications are continuous submissions and capture designation in the database
- Allow IRG Chiefs to look at applications from all other IRGs received within the last two months and indicate which they can review by entering status into database.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (1) The combined monthly report and the email generated have the fields specified:
a.            IC
b.             MEMBER IRG
c.             CMTE
d.             MEM PI NAME
e.             MEMBER START DATE
f.              MEMBER END DATE
g.             GRANT NUM
h.             ACCESSION NUM
i.              APPL CLUSTER IRG
j.              STUDY SECTION FULL
k.             RFA PA NUMBER
l.              COUNCIL DATE
m.            APPLICATION RECEIVED DATE

IMPAC II is the source of all application data.

(2) The MAN System ensures that Integrated Review Groups (IRGs) Chiefs and IC Review Chiefs/contacts are aware of the assignment of applications submitted by chartered members of the standing study sections to Integrated Review Groups (IRGs) and Study Sections.

(3) Yes

(4) Voluntary.     All information is provided via the IMPAC II system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  All data contained within this system is pulled from IMPAC II.    The system does not gather any information directly from the public.  It is not publically accessible and the information is not disclosed to anyone outside of CSR.   Individuals have the opportunity to view the Privacy Statement from the IMPAC II website.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  Administrative Controls: role-based access; appropriate system security plan, contingency plan, file back-up, training of users, and retention and destruction policies are in place.
Technical: User ID, passwords, firewall, VPN, encryption and IDS are in place on all CSR systems.
Physical: guards, ID badges and key cards are utilized at the server location and the CSR offices.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR National Registry of Volunteer Reviewers
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NA
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH CSR National Registry of Volunteer Reviewers
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nair Prema, Diane Stassi, Weijia Ni
10. Provide an overview of the system: The CSR National Registry of Volunteer Reviewers is an Access-based database that contains information provided by volunteer scientists who are interested in serving on CSR grant review panels. Information provided includes: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, Referring Society, QVR Person ID, NIH review and grant history, Geographical Region, Date Registered, SRO Contact Records (check boxes for “Contacted” and “Served” as well as date and SRO name), and an SRO Reviewer Evaluation field (check boxes 1-5 – for scientific expertise and review performance). The database is available to everyone in CSR who has access to the CSR share drive. The database is searchable by Keyword, IRG, and Region.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed to anyone in CSR with access to the Share Drive, including, Scientific Review Officers, IRG Chiefs, Division Directors, personnel in the Director’s Office. The information will be used to 1) identify highly qualified reviewers who are willing to serve on study sections and 2) report back to the referring societies on how many of their recommended reviewers have served on panels.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected for the CSR National Registry of Volunteer Reviewers contains IIF. The following information is voluntarily provided by scientists who are interested in serving on CSR grant review panels: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, and Referring Society. In addition to this information, the developers of the database add the volunteer’s QVR Person ID and NIH Review history (if they are in the system), Geographical Region, Date Registered, and Reviewer Evaluation (check boxes 1-5 – for scientific expertise and review performance). Individuals using the database (primarily Scientific Review Officers) may add Contact Records (check boxes for “Contacted” and “Served”, date and SRO name) as well as reviewer evaluation. The information will be used to identify highly qualified reviewers to serve on study section panels and to provide feedback to societies on whether their members are serving on panels.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No major changes are expected to occur to the database. If any changes are made, we will notify all individuals via email. We will be collecting the following IIF: Name, Mailing Address, Phone Numbers, Device Identifiers, Web Uniform Resource Locator(s) (URL), Email Address, and QVR Identifier. Individuals will be notified via email describing the IIF obtained and that we will use this information to identify highly qualified reviewers who are willing to serve on study sections. This information is stored in a database that is available to CSR employees, and specifically created for Scientific Review Officer use. The email notification will also give the individual the option of rescinding their information, at which point the system developers will destroy (permanently delete) the IIF provided.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls. To run the database, SROs download it to their C-Drives from Share drive. Access to the CSR Share drive is limited. Personnel with access to the database have been trained and are aware of their responsibilities for protecting IIF.
Physical controls. Rockledge 2 is secured by guards, employee identification badges and keycards.
Technical controls: All CSR laptop computers are encrypted. User identification, passwords, firewall, VPN are currently in place. Security patches for servers and laptops are always kept current.
The NIH incident response team will notify the CSR ISSO of any security incidents detected. Users will notify the CSR ISSO and NIH Helpdesk of any security incidents.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Out of Town Calendar
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A - no PII
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Out of Town Calendar
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Dipak Bhattacharyya
10. Provide an overview of the system: Out of town meeting calendar provides calendaring functionality allowing Scientific Review Officers and associated CSR staff, to verify peer review meeting dates and locations that take place across the United States. The calendar enables filtering and data input abilities that minimize extraneous processess currently being used; Scientific Review Officers will be able to select the location and time where they would like to schedule a meeting.
This calendar has the following features:

1) Coordinate out-of-town and local meetings across all institutional review groups
2) help DEAS provide coverage for out-of-town and local meetings
3) Create meeting reports for Chiefs and the Office of the Director
4) Provide a repository for meeting information such as hotel name, date & time of meeting.
5) Provide centralized access to Google Maps and hotel survey data

13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) Meeting date, location, Scientific Reviewer Officer name, Council round, meeting staff name (CSR staff).
(2) To coordinate scheduling activities for CSR staff.
(3) The information does not contain PII.
(4) CSR staff enters data, such as (see number 1 above). The only personal information is the names of the CSR staff involved in the meeting which is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not gather any information from the public and it is not a publicly accessible system. The system uses downloaded data in read format from IMPAC II as well as data entered by the user (Federal employee).

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual except for the applicants themselves and except as permitted by the privacy act.

We do not notify any individuals regarding PII, because there is no PII contained in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not contain any PII. However the systems has the following controls.
Administrative controls: Training as needed. The system is backed up on a regular basis.
Technical controls: User ID and password have to be used for network authentication.
Physical controls: Security guards, ID badges, and Key cards are used to gain access to bldg. 12 where it is housed.
The required password strength for CSR and NIH users is implemented by NIH through local access controls that provide protection from unathorized access, alteration, loss, disclosure, and availability of information in accordance with HHS information security program.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Performance Management Appraisal Program (PMAP)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Performance Management Appraisal Program (PMAP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The PMAP review system provides an automated process for specific members of Office of the Director (OD) and Managers to review the written performance summaries of two categories of CSR staff. This process streamlines the previously manual process and provides for more effective time management and evaluation techniques. The scope of the PMAP review system automates the previous process for performance reviews for ease of use. The following product features:
• PMAPs grouped by Division, IRG and/or Branch – in a table-like structure
• Display the names of all CSR staff within selected group/IRG/branch
• Ability to individually select performance summary, out of staff listing
• Allow display of performance summary and assigned score, for the PMAP being reviewed
• Ability to change the assigned score, if desired
• Ability to update changes to the PMAP and create a permanent record
• Store the performance summaries
• Display the current number out of total for specified group (3 out of 10)
• Ability to move to next performance summary within same group
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The PMAP system maintains information including employee name, work phone, work email, performance rating, and salary. (2) PMAP is a required HHS annual process to rate the performance of employees. This system streamlines the process electronically. (3) Yes. (4) Mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) No major changes anticipated. (2) The PMAP process is a required HHS process of which employees are notified when they are hired. (3) Information will be used by supervisors and the administrators to rate the performance of employees.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative
To log on the Intranet requires an active directory account, which is created and maintained by the central NIH account authority. This system is hosted by the CSR intranet and will have role-based access for supervisors, administrators and the technical team.
Technical
The employee entry form is located on the CSR Intranet. The server where CSR database resides is hosted and maintained by the CSR Sterling, VA data center. It is physically located in Sterling VA. The building has the technical infrastructure to ensure protection of the server from physical and online attacks via ADP room access controls and WAN and LAN intrusion protection.

This access is maintained through NIH active directory. The system administrator's password is changed 60 days. CSR provides the operating and database systems patch in accordance with policy set by CERT.

Physical
Building 12 has access controls procedures in place to prevent unauthorized access to CSR Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or access servers. All hard drives are encrypted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Qualifying Therapeutic Discovery Program
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH CSR Qualifying Therapeutic Discovery Program (QTDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya; George Chacko
10. Provide an overview of the system: The Qualifying Therapeutic Discovery Project (QTDP) program is provided under new section 48D of the Internal Revenue Code (IRC), enacted as part of the Patient Protection and Affordable Care Act of 2010 (P.L. 111-148).

Under the program, eligible taxpayers may apply for certification from the Internal Revenue Service (IRS) of a qualified investment with respect to a qualifying therapeutic discovery project as eligible for a credit, or for certain taxpayers, a grant from the Department of the Treasury.

The IRS will certify an eligible taxpayer’s qualified investment only if:

(1) HHS determines that the taxpayer’s project is a qualifying therapeutic discovery project (as defined in section 4.02 of IRS Notice 2010-45). Specifically, HHS will determine whether an applicant's project meets the definition of a “qualifying therapeutic discovery project”, which means projects designed to:
treat or prevent diseases or conditions by conducting pre-clinical activities, clinical trials and clinical studies or carrying out research protocols, for the purpose of securing Food and Drug Administration approval of a product,
diagnose diseases or conditions or to determine molecular factors related to diseases or conditions by developing molecular diagnostics to guide therapeutic decisions, or
develop a product, process or technology to further the delivery or administration of therapeutics.
(2) HHS determines that the taxpayer’s project shows reasonable potential (a) to
result in new therapies (i) to treat areas of unmet medical need, or (ii) to prevent, detect,
or treat chronic or acute diseases and conditions, (b) to reduce long-term health care
costs in the United States, or (c) to significantly advance the goal of curing cancer within
the 30-year period beginning on May 21, 2010; and
(3) The IRS determines that the taxpayer’s project is among those projects that have the greatest potential (a) to create and sustain (directly or indirectly) high quality, high-paying jobs in the United States, and (b) to advance United States competitiveness in the fields of life, biological, and medical sciences.

To apply, companies must use:

· Form 8942, Application for Certification of Qualified Investments Eligible for Credits and Grants Under the Qualifying Therapeutic Discovery Project Program (Catalog Number 37748D).
· Applicants must also include a Project Information Memorandum (PIM), as instructed in IRS Notice 2010-45.
Applications may be submitted beginning June 21 and must be submitted no later than July 21, 2010. IRS will send to NIH the PIM. The IRS will issue certifications by October 29, 2010.

HHS/NIH’s role: The statute requires the Secretary of the Department of the Treasury to consult with the Secretary of the Department of Health and Human Services (HHS) in conducting this program as described above in (1) and (2).

NIH’s Role in Review of the PIM:

Applications will initially be reviewed by HHS/NIH to determine whether or not they meet the definition of "qualifying therapeutic discovery project" (see questions 1-4 in the Project Information Memorandum), and whether they show a reasonable potential to meet the statutory goals (see questions 5-8 and 9-11 in the Project Information Memorandum). The reviews will be accomplished by reviewers coordinated by the National Institutes of Health. All applications that are considered, based on that review, to cover qualifying therapeutic discovery projects that show a reasonable potential under § 48D(d)(3)(A) will be considered by the IRS as it makes its determination whether the requirements under § 48D(d)(3)(B) are satisfied.

Review Procedure:

·IRS sends by courier only the PIM sections of the application for NIH review.
·Each application is initially assigned for evaluation to one reviewer.
·The reviewer evaluates the contents of the application (PIM) and recommends scores. [Predecisional]
·In cases of s
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) IRS sends by courier only the PIM sections of the application for NIH review. The PIM section includes Corporate Tax ID, Corporate Address, Principal Investigator Name, Location, Contact Information (federal employee information)
·Each application is initially assigned for evaluation to one reviewer.
·The reviewer evaluates the contents of the application (PIM) and recommends scores. [Predecisional]
·In cases of scores below the cutoff value that would be recommended for funding, a second reviewer is assigned to ensure that applications that meet the definition of a qualifying therapeutic discovery project and show reasonable potential based on the statutory goals of the program (as defined in IRS Notice 2010-45) are not being eliminated.
·All results are reviewed and approved by a second level panel, which examines these suggestions and approves, rejects, or modifies them. [Decisional]
·In the interest of protecting reviewer confidentiality, predecisional details (specifically, the identity of the reviewer assigned to individual applications) are destroyed 15 days after the review. An aggregate list of all reviewers involved in the project is published. A similar procedure is followed in NIH grant review.
(2) These results are reviewed by HHS and transmitted to IRS in the form of a list of applications for IRS to consider for certification.
(3) Taxpayer ID # of submitting organization, name of organization, name of contact person for the organization - are included/maintained as part of the application.
(4) Voluntary - submitting grant applications to IRS of their own accord.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1). The system contains information provided by the internal revenue service. We do not obtain any information from the public.

(2). We are not collecting any PII from individuals the information that will be provided to us will be obtianed from the internal revenue service. The IRS will provide the name of contact person for each Applicant organization, taxpayer identification number, and a unique identifier.

(3). The information in each record will be evaluated for it's scientific potential. The data within the system will be looked at by scientific reviewers, project implementation team and returned to the IRS in about three months from now.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The PII is secured through Technical controls: User ID and passwords have to be used for network authentication.
Physical controls: Security guards, ID badges, and Key Cards are used to gain access to Sterling where the system will be housed.
The required password strength for CSR and NIH users is implemented by NIH through logical access controls that provide protection from unauthorized access, alteration, loss, disclosure, and availability of information in accordance with HHS information Security Program.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR privacy coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR Real Time Meeting Status Tool
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH-CSR Real Time Meeting Status Tool
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: The RTMS is an electronic tool which program officers willl have real time access to the progress of the discussions of the applications in different review meetings. Updated information on review meeting progress allows program officers to plan their attendance to different meetings accordingly. This process allows for better time management to program officers and increase the transparency of our review meetings.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system displays the Principal investigator's (PI) name for the purpose of viewing the associated PI's name for each grant under review. This PI name is static data for display purposes only and understanding the disscussion order of grant applications during the review meeting.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) RTMS pulls the following information from Internet Assisted Review (IAR); a subsystem of IMPACII: Grant application number, Application number, NIH Program Officers (NIH employees), Meeting agenda number, Application discussion order number, Application review order number, Meeting start date, Meeting end date, Meeting name.
(2) To allow program officers to better regulate their time during the review of their IC respective applications.
(3) The system contains the name of the Principal Investigator. This person can be a non Federal employee.
(4) Data is not entered by the user. The system displays data from IAR.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1). The RTMS does not notify individuals whose PII is in the system of any changes occurring to the system.
(2) The RTMS does not obtain consent from individuals regarding PII. The information is displayed in a static fashion from a feed to IAR, a subsystem of IMPAC II.
(3). The system does not gather any information from the public and it is not a publicly accessible system. The system only uses downloaded data in read format from IAR. The information stored in the system is not disclose to anyone outside of HHS/NIH in a manner that identifies the individual except for the applicants and except as permitted by the privacy act. The sole purpose of this data display is to assist the program officer (PO) in viewing the status of the respective applications during meeting discussions. For example, they will see if it is: in progress or complete.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical controls: user id and passwords has to be used for network authentication. SSL is used to secure downloaded data. Administrative Controls: Role-based access.
Physical controls: security guards, ID badges and Key Cards are used to gain access to Bldg 12 where the system in located.
Training materials are updated and system is backed up on a regualar basis.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR SOFie ( Status of Funds)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nair Prema, Debbie Elliott
10. Provide an overview of the system: The SOFie application supports the efforts of several offices and branches within the IC, allowing budget offices to track expenditures in appropriate funds in a fiscal year. The program contains a tracking mechanism to track prior year funds as well. The application downloads this information from the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from CAS/Central Accounting System mainframe and is specific to CSR for its fiscal year operations. The information is general acounting info by category (ex. wages), with totals by category, and nothing specific to individual employees. The system contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized user access to information is limited to authorized personnel for performance of their duties. Authorized personnel include NIH employees, system managers and computer personnel. Physical safeguards are in place at CSR. and the contractor facilities. Access codes are deleted when employees leave CSR. New employees have obligatory training and NIH/CSR security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. The list is revised at NIH and requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information processed in the system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply.

All data transmitted between the server (currently at contractor location) and workstations at CSR are encrypted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR SREA Financial Tracking System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CSR SREA Financial Tracking System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Harris, Dipak Bhattacharyya, Thao Tran, and Prema Nair
10. Provide an overview of the system: The SREA Office’s main functions is to support the CSR Peer Review by the 1) procurement of hotel meeting rooms, sleeping rooms, reviewer airfare, AV and 2) Payment to Non-Federal Reviewers who provide expertise in reviewing grants applications.
We expect that by having a SREA Financial Tracking system we will be better equipped to serve NIH/CSR as a whole. Specifically, it is proposed a web-based system will enable SREA to better monitor and track Peer Review expenditures in an electronic format which can be queried to do historical data analyses on a regular basis. We will also be able to allow secured access to SREA Data at multiple levels: administrative, user, and read-only. In addition, we will be in compliance with the NIH COOP and NIH Vital Records initiatives by electronically housing procurement documents attached to a corresponding ticket.
SREA is implementing a pilot for other NIH Instiitute/Center personnel to access an IC specific report on the SREA Financial Tracking System via a web link.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The SREA Financial Tracking Database utitlizes PII - in the form of the Scientific Review Officer (SRO) name - from IMPAC-II. This information is used to create a dropdown menu with the SRO names listed in the SREA database. SRO names are used to identify review meetings. In the event a reviewer declines payment of honorarium, their name is manually entered into the SREA database by users to document payment refusals. SRO name is mandatory. Reviewer name is voluntary. Vendor information (hotels): contact name, phone number, email, DUNS, and Tax ID Number.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We do not anticipate any major changes to the system. In the event of a major change involving PII, a process will be put in place. Individuals are notified via email regarding the PII in the system and how it is used.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access controls are in place for servers along with FDCC guidelines.
NIST and FISMA rules and regulations are applied to servers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH CSR zApps
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): There are no additional identifying numbers.
7. System Name (Align with system Item name): NIH CSR Secure Email File Transfer
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya
10. Provide an overview of the system: CSR will be using SEFT (Secure Electronic File Transfer) to allow CSR employees to share information securely with other federal agencies and external individuals. There are two roles in the exchange: sender and recipient. Senders initiate the file transfer and recipients can only receive the file transferred. The basic process is: (1) the sender creates a package of files and sends it to any email address; the email message contains a URL link to the package of files; (2) the recipient is notified about the delivery; (3) the recipient clicks on the link to retrieve the package; the recipient is prompted for an ID and password. Only NIH/CSR employees can send files. Both senders and recipients must be registered to use SEFT. Users self-register for the service. NIH/CSR employees register for the service through the CSR SEFT system. Recipients register for the service when they receive an email notification for the first time.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII is disclosed.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: CSR collects names, email addresses, and answers to password reset questions for users of the systems. Email addresses are required to identify users. The email addresses are personal and/or professional addresses of CSR reviewers and are provided voluntarily by those reviewers.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) users self-register for the SEFT service. The information collected is put into the system with their knowledge.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include SOPs for administering the system and a change management process to ensure only authorized changes are implemented. Technical controls include user identification and authentication, assignment of roles within the SEFT service and access controls to protect the datea. Physical controls include guard(s) at the entrance to the data center where SEFT server is housed and card readers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Michael Floissac, CSR Privacy Coordinator
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH FIC CareerTrac [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/3/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-1903-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: 0925-0568
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): CareerTrac
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Kupfer
10. Provide an overview of the system: CareerTrac is a global trainee tracking and evaluation system for the Fogarty International Center (FIC), National Institutes of Health. The goal of this system is to create a complete trainee roster for all FIC research training programs and to monitor outputs, outcomes and impacts of FIC international trainees.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): FIC takes every reasonable precaution to protect information. CareerTrac system is securely hosted under NIH firewall and the password is encrypted. FIC maintains appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of trainee’s personal information. Unless legally mandated, FIC will not disclose any of the following information: employment history, phone, fax, year of birth, biographical data, gender (except in aggregate), minority status (except in aggregate), current training status, return home (except in aggregate), and career accomplishments (only in aggregate – except where in the public domain).

FIC understands the delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. Access to CareerTrac data will be granted only to those organizations/individuals, which must, in the course of exercising their responsibilities, use the specific information. The requests for access to CareerTrac data will be carefully reviewed and the following information may be disclosed for routine uses: trainee’s name, area of training, country of origin, work email, degrees earned through FIC funded programs, accomplishments that are public products, and career highlights of the trainee information. The audience for this information may include, but not restricted to:
The FIC, NIH, HHS and Congress for reporting and evaluation purposes;
The Principal Investigator (PI) and Collaborators for the purpose of monitoring the program, submitting progress reports and grant applications and writing journal articles describing the programs;
FIC co-funding partners and Co-sponsors of FIC programs for the purpose of reporting progress and conducting evaluations of the programs
Interested public, for example, for the purpose of convening a scientific meeting in a particular country to which former trainees will be invited
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system will collect, track, and report on information about international trainees - such as trainee name, contact information, biographical information, and training information. The system also supports tracking of trainee accomplishments - such as fellowships, awards, employment, other education, product or policy developments, publications, funding received, presentations, posters at scientific conferences, and students taught.
The purpose of the system is to enable effectiveness evaluations of health research training programs, funded by NIH/FIC, for international trainees.
The information may be used by or disclosure may be made to (1) the FIC, NIH, HHS and Congress for reporting and evaluation purposes; (2) the academic community (including PIs and Collaborators) for the purpose of monitoring the program submitting progress reports and grant applications and writing journal articles describing the programs; (3) FIC co-funding partners and co-sponsors of FIC programs for the purpose of reporting progress and conducting evaluations of the programs; (4) interested public, for example for the purpose of convening a scientific meeting in a particular country to which former trainees will be invited.
The personal information is submitted on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We will provide the trainees with a written document that will notify the trainees about the purpose of data and how it will be used and shared. The trainees will have to read Privacy Act Disclosure and sign 'Certificate and Acceptance' form (which is part of the document) before PIs can enter their personal information into the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: A variety of safeguards are implemented in order to protect the information collected through CareerTrac system. Regular access to information in CareerTrac is limited to PHS or to contractor employees who are conducting, reviewing or contributing to the system. Other access is granted only on a case-by-case basis, consistent with the restrictions, as authorized by the system manager or designated responsible official.

Administrative Control: CareerTrac has a system security plan and backup plan. The files are backedup regularly and they are stored in secure offsite locations.

Technical Control: CareerTrac system is securely hosted under NIH firewall and the password is encrypted and changed routinely. PIs can only view the trainees from their grant. FIC maintains appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of trainee's information.

Physical access controls are in place for CareerTrac. Records are stored in closed or locked containers, in areas which are not accessible to unauthorized users, and in facilities which are locked when not in use. Sensitive records are not left exposed to unauthorized persons at any time. The following are some of the physical controls in place to safeguard system and data collected: closed circuit TV, identification badges and guards.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Marcia Smith
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH FIC Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH FIC Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Danielle Bielenstein
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to access financial data and download the data from nVision (the NIH Central Accounting System) into spreadsheets in order to perform budget analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: FIC accounting transactions and data are downloaded from nVision (the NIH Central Accounting System). The data is used to plan, track, and report on expenditures, enabling the FIC budget office to comply with appropriation laws and regulations. The data contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A - no PII in system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A - no PII in system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Marcia Smith
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCAT Clinical and Translational Science Awards Study Management System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): Westat internal Project ID 8668
7. System Name (Align with system Item name): NIH NCRR National Evaluation of the Clinical and Translational Science Awards (CTSA) Initiative
Study Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patricia Newman
10. Provide an overview of the system: The CTSA Initiative is directed at transforming the way biomedical research is conducted nationwide by reducing the time it takes for basic science or laboratory discoveries to become treatments for patients, and for those treatments in turn to be incorporated and disseminated throughout community practice. The CTSA-SMS will include a variety of data to support an evaluation of the first four cohorts of CTSA awardee institutions and the CTSA Consortium. The system stores, processes, and transmits all information related to the study including data submitted by awardees in Non-Competing Continuation Progress Reports (PHS 2590), surveys and responses, staff and agency contact information, study data and reports, and other electronic and hardcopy information.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The CTSA-SMS collects and maintains a variety of information types. Data submitted to NIH in award applications, Non-Competing Continuation Progress Reports (PHS 2590), and other routine award reporting include award numbers, names, professional email addresses, telephone contact information, and NIH commons ID and person ID. In addition to the identifying information used to locate and contact survey participants, the system will store, process, and transmit basic data respondents volunteer regarding employment, education, and demographics. Information in the CTSA-SMS will be used to provide analytical and policy support to NCRR, assisting NIH in making decisions about current CTSA programming, future funding, and other initiatives to improve clinical and translational science. It may also provide information for NIH’s Government Performance and Results Act (GPRA) report. At least one journal article based on the findings will be developed and submitted for publication. Information collected constitutes PII such as name, mailing addresses, personal email address, and employment status. Disclosure of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The CTSA-SMS will be used only to collect survey data, analyze data, and produce reports for the CTSA evaluation study. The CTSA-SMS will be retired upon conclusion of the study. No major changes to the CTSA-SMS affecting disclosure and/or data use are anticipated. In the unlikely event of future major change to the CTSA-SMS affecting status or use of personally identifiable information (PII), privacy notice of consent is provided in writing or via email to affected individuals.
Notification and consent from individuals for collection of PII is provided in the survey: “Pursuant to 5 CFR 1320.5(b), an agency may not conduct or sponsor, and a person is not required to respond to an information collection unless it displays a valid OMB control number. The OMB control number for this collection is 0348-XXXX.”
Each survey is preceded by a message to the individual which specifies why the information is being collected and how it will be used (i.e., The NIH leadership is interested in learning more about the use of CTSA resources.)
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information will be secured on the system through access controls, personnel security awareness and training, regular auditing of information and information management processes, careful monitoring of a properly accredited CTSA-SMS information system, control of changes to the system, by appropriate planning and testing of configuration management and contingency processes, by ensuring that all users of the CTSA-SMS are properly identified and authorized for access and are aware of and acknowledge the system rules of behavior, by ensuring that any contingency or incident is handled expeditiously, properly maintaining the system and regulating the environment it operates in, by controlling media, by evaluating risks and planning for information management and information system operations, by ensuring that the system and any exchange of information is protected, by maintaining the confidentiality and integrity of the CTSA-SMS, and by adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/16/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCAT Employee Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCRR Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Richards
10. Provide an overview of the system: EDie is a web-based application that allows Institutes to accurately maintain individual employee, contractor, fellow, guest, and volunteer information, as well as plan for, monitor, and report on workforce staffing levels. To minimize duplicate data entry, the standard business systems from which EDie currently downloads are the NIH Human Resources Database (HRDB), the Fellowship Payment System (FPS), the NIH Enterprise Directory (NED), and FSA Atlas. HRDB is EDie’s source for information about general hire employees, including General Schedule, General Wage, Commissioned Officers, and others. The official data that is stored in HRDB, including payroll information, is available for each employee and can be viewed by those users with corresponding access privileges. FPS is the source for information about visiting fellows, including their stipend and sponsorship information. NED is the source for information about contractors and other special volunteers. Because these are not direct hire employees, there is no payroll or FTE information available for these employees. EDie also pulls in locator information from NED for every employee that is stored in EDie and who has a corresponding NED ID. FSA Atlas is the source for Visa information. EDie provides an efficient and effective way to manage and report on the workforce of the Institute/Center (IC). It provides the ability to track and report on planning records. It allows users to update staff information for future actions while also having the ability to view the official source information, staffing summary and trend information.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system, Fellowship Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports requested by the NIH Director, the IC Director, and other management staff, as requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. Information collected constitutes PII such as name, date of birth, social security number, personal mailing address, personal phone numbers, personal email address, education records and employment status. It is mandatory for employees to submit personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS, nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is used is relayed to employees via official notices from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII stored in EDie is accessed by a very limited number of administrative staff with a “need-to-know” status. EDie is password protected and sensitive data is encrypted. The system is located on a server in a secure server room behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 1/11/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Clinical and Translational Science Awards [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Clinical and Translational Science Awards (CTSA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: CTSA is a collaborative web site facilitating robust communications among clinical and translational science communities, which enables multi-way discussions about the important new national effort to develop clinical and translational research. The CTSA system consists of the CTSA public website, the CTSA Management System for managing data, and the CTSA-Wiki (for information sharing among grantees funded under the CTSA program).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Control and Oversight -Program Monitoring Information; Public Affairs – Customer Services; Public Affairs – Product Outreach; and, Public Affairs – Public Relations. The system does not collect or maintain IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)

 
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Construction Grants Management System (CGMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Construction Grants Management System (CGMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: The system is used to track C06 Construction grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: CGMS only contains Grant data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and Information; Grants Planning and Resource Allocation - Budget Formulation Information; Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Electronic Funds Management System (eFMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Electronic Funds Management System (eFMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan
10. Provide an overview of the system: The eFMS is a web-enabled fiscal planning tool of the current fiscal year for the Office of Financial Management (OFM) and NCRR managers. Both dynamic data from IMPAC II and local non-enterprise data are available. Grant data are displayed in a variety of formats, including web pages, web summary tables, Excel spreadsheets and formal reports. This system provides the Budget Officer with a means to ensure appropriate fiscal control, monitor obligations to verify compliance, and provide accurate, current information to NCRR management for the NCRR extramural portfolio.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: eFMS only contains Grant data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and Information; Grants Planning and Resource Allocation - Budget Formulation Information; Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Grants Workflow Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Grants Workflow Information System (GWIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gregory Farber, Ph.D.
10. Provide an overview of the system: GWIS provides web-based and Microsoft Outlook integration to help authorized NCRR personnel automate and improve the grant management processes/workflows.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: GWIS is an internal grants workflow solution. Information is obtained from the IMPAC II and eFMS (NCRR Electronic Funds Management System). This information is for internal use only, and only the minimal necessary data is collected to support the NCRR internal grants workflow process. GWIS is integrated with Microsoft Outlook for authorized NCRR users. Workflows have been identified and are being developed to process Unsolicited Administrative Supplements, Carry-Over Requests, Funding Opportunity Announcements (FOAs)/ Program Announcements, Annual Progress Report Approvals, National Advisory Research Resources Council (NARRC) Processes, New and Competing Continuation Awards, and Competitive Administrative Supplements.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Internet
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 3/30/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCATS Internet Website
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: NCATS Public Website used to disseminate information about NCRR resources and grant programs to biomedical researchers with NIH or other peer-reviewed funding via the world wide web.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NCATS website will disseminate information on NCATS initiatives and activities of relevence to the research community. Shares only employee office contact information: name, title, position description, office location and phone numbers to expedite communication with the public. This information is not considered IIF because it is publically available and in the context of how it is presented cannot cause harm to the individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No Information in Indentiafiable Form. NCATS employees are notified that their office contact information is made publically available in the course of their duties.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NA
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:

Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Intranet
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan
10. Provide an overview of the system: To disseminate relevant information and useful dynamic applications to Center employees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NCRR Intranet is used internally to disseminate useful information to authorized NCRR employees and contractors. Shares employee information: name, title, position description, office location and phone numbers (internally only) to increase organizational communication and efficiency. This information is not considered IIF because it is publically available and in the context of how it is presented cannot cause harm to the individual. This information is "opt out" for each employee.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS NCRR General Support System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4802-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Josephine Kennedy
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Science Information System (SIS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4802-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Science Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: R. Jean Babb
10. Provide an overview of the system: A database system used by NCRR staff to review annual progress report data, code the research activites, and prepare reports highlighting scientific accomplishments. This information is invaluable in supporting GPRA, PART, and other materials used to inform the Administration, Congress, interested parties and the general public. NCRR is working to integrate and strengthen clinical informatics.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NCRR and NIH budget officials for reporting to Congress. Shares information internally for generating funding reports for NIH OD and congress. Ref: 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information is obtained from the IMPAC II system and populates this database for internal use only. Information collected is the minimal necessary to code and report on research projects for funding the grantees and investigators. Mandatory for eRA submission. In addition, SIS now collects the name, email address, phone number (and Fax) for external users needed for the Federated Login process of registering users in the external active directory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The process in place is governed by IMPAC II, an NIH Enterprise System maintained by eRA. SIS has no additional processes in place.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policy and procedures are in place for administrative management of the system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR SOFIE
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Richards
10. Provide an overview of the system: Manage expenditures and obligations. The purpose of the system is to monitor expenditures. Program helps project the budget; allows users to know how much money is left in the FY to spend.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in VSOF. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor, Description of Expenses, and Purchase Amount.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCATS Visual Employee Database System (VEDS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NCRR Visual Employee Database System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Richards
10. Provide an overview of the system: VEDS is a windows based application primarily used to track personnel information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The data is shared internally for administrative use only and will not be shared with other entities. Ref: 09-90-0018
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NETCOMM application collects personal information from the NIH Human Resource Database (HRDB) through bi-weekly downloads. Social security numbers, names, grades, salaries, addresses, telephone numbers, and job titles are included in the data collected. The data collected is used to manage the organization's personnel information. Under authority 42 USC 287c-21
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF in the system is gathered from the HRDB and NED systems. Changes to the system or changes in the way the information is used is relayed to employees via official notices from NCRR or the System Owners. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited to those that need to know. Each user signs a security statement, and any violations results in loss of access to system. Policy and procedures are in place for administrative management of the system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name:
Josephine Kennedy (NCRR ISSO, delegated by the NCRR Privacy Coordinator, Cindy McConnell)
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Employee Database, Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Significant System Management Changes 
1. Date of this Submission: 12/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-014
7. System Name (Align with system Item name): NIH NCCAM Employee Database, Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robin Klevins
10. Provide an overview of the system: EDie is a web-based application that allows institutes to accurately maintain individual employee, contractor, and volunteer information, as well as plan for, monitor, and report on workforce staffing levels.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal senior administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system, Fellowship Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports requested by the NIH Director, the IC Director, and other management staff, as requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The type of information collected constitutes PII and includes the following: name, address, phone number, social security number and date of birth, and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS, nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is used is relayed to employees via official notices from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII stored in EDie is accessed by a very limited number of administrative staff with a “need-to-know” status. EDie is password protected and sensitive data is encrypted. The system is located in Building 31, Rm 2B11 behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/2/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 
06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Internet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 3/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-001
7. System Name (Align with system Item name): NCCAM Internet Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: The NCCAM Web site (www.nccam.nih.gov) is used to disseminate scientifically accurate information about complementary and alternative medicine to the public and to health officials via the World Wide Web.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NCCAM Web site (www.nccam.nih.gov) is used to disseminate scientifically accurate information about complementary and alternative medicine to the public and to health officials via the World Wide Web. NCCAM is not collecting personal information through the NCCAM Web site. Note: NCCAM has submitted a separate PIA for the NCCAM Online Continuing Education Series (please reference that PIA for more information).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 4/3/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Intranet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 3/12/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-002
7. System Name (Align with system Item name): NCCAM Intranet Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: The NCCAM Intranet Web site (intranet.nccam.nih.gov) is used to disseminate relevant information and useful dynamic applications to employees of the National Center for Complementary and Alternative Medicine (NCCAM). The key legislation authorizing this Web site is 42 USC 287c-21.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NCCAM Intranet Web site (intranet.nccam.nih.gov) is used to disseminate relevant information and useful dynamic applications to employees of the National Center for Complementary and Alternative Medicine (NCCAM). We are not collecting personal information through the NCCAM intranet Web site.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 4/3/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM NCCAM Local Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 2/27/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Not Applicable
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NCCAM-015
7. System Name (Align with system Item name): NIH NCCAM Local Network
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Gallagher
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information. The GSS provides infrastructure support to minor NCCAM applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable - The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS,
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable, system does not collect PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not Applicable, system does not collect PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594--5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Online Continuing Education Series
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-010
7. System Name (Align with system Item name): NIH NCCAM Online Continuing Education Series
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu
10. Provide an overview of the system: NCCAM Online Continuing Education Series (OCES) supports the NCCAM mission by providing free access to several educational video lectures and continuing medical education completion documents. OCES is designed for health care providers and the general public to view lectures on Complementary Alternative Medicine (CAM). Health care providers may receive continuing education credits.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Cine-med Inc, the accrediting entity has access to PII through OCES. The purpose is to provide continuing education credits to trainees.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Users may VOLUNTARILY provide the following information:
Name, Mailing address, Email, and Education Records, which is considered PII.

The purpose of the system is to provide continuing education credits. The information is only to be used by Cine-med Inc, an accrediting entity.

Collection of this data is authorized under authority 42 USC 287c-21
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) NCCAM does not expect to have major changes to the system.

A privacy policy is posted to inform users of the purpose of data collection and explain that data will only be used to confirm registrant participation in the continuing education program ( in case they request a copy of their certificate).
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII stored by this system is secured by several locked and secure doors, badges are required for access to the facility and room, and user identification and passwords are required for system access. Files are backed up regularly and stored off site. Personnel have been trained to store and handle information collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 6/14/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Records Management Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/8/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-008
7. System Name (Align with system Item name): NCCAM Records Management Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Erica St. Michel
10. Provide an overview of the system: The Records Management Database is a Microsoft Access 2007 database that tracks the status of NCCAM inactive paper records transferred to the Washington National Records Center and/or the National Archives. The database contains information about file types; file names; creation, disposition, transfer, and destruction dates; and records retentions schedule authorities, which are required to manage, track, and retrieve these files. No IIF is collected or stored at any point by the database. Authorizing legislation: 42 USC 287c-21.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected includes file names and disposition dates in an effort to effectively manage records. Only necessary information is collected. No IIF is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM SharePoint
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 5/29/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-013
7. System Name (Align with system Item name): NCCAM SharePoint
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich
10. Provide an overview of the system: The system holds grant application information that is retrieved from the IMPAC II database with additional tracking information added for the purpose of application grant approval. The system tracks grant applications under authority 42 USC 287c-21.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): For internal purposes only; IIF will not be shared OR disclosed. SOR #09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: A grant application is submitted voluntary by the Investigator through the electronic application submission process in Grants.gov. That information subsequently is stored in the centralized NIH eRA/IMPAC II database - all notifications and consent procedures with subjects are handled at that level. For the purpose of preparation and tracking of selected grants for funding at the IC/NCCAM level, selected data are downloaded from the eRA database into SharePoint. The selected IIF data are restricted to: Investigator Name and Degrees, Institution, Project Title, e-mail address. In SharePoint that data is used only by NCCAM staff members who have been selected and approved by senior level staff for the purpose of grant preparation and tracking. The data is not shared with nor disclosed to any party, and is deleted on a routine basis (each fiscal year) when it is no longer needed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. NCCAM does not have a notification process in place as the applications database does not collect the initial IIF. It is only a recipient of IIF collected by another database that is maintained at the NIH level thus we do not have our own notification process to obtain IIF from individuals. This system does not have any notification procedures in place in addition to those in place for the IMPAC II system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The SharePoint system is electronically behind the NIH firewall and can only be accessed from behind the firewall. The information is physically secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, and a requirement of a password when accessing the database. A comprehensive IRT is also maintained. Information is also secured by least privilege, separation of duties, an intrusion detection system, locks and background investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 2/22/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCCAM-011
7. System Name (Align with system Item name): NIH NCCAM Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Valery Gheen
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to access financial data and download data into spreadsheets in order to perform analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Status of Funds internet edition (SOFie) is required by the Administrative and Budget offices of NCCAM for tracking and monitoring the Center’s budget. Utilizing client-server technology, SOFie gives users flexible views and summaries of their accounting structure. The Accounting data and related document information is downloaded from CAS and is relevant to/specific to NCCAM for its fiscal year operations. It is necessary to have access to this data in order to comply with appropriation laws and regulations. The system contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A - No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using user name and password, least privilege, separation of duties and intrusion detection system, firewalls, locks, badge access, background investigations.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica St. Michel (301) 594-5769
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/29/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI AARP Phase I Pilot Study (APS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: TBD
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0594
6. Other Identifying Number(s): Z01 CP010196
7. System Name (Align with system Item name): NIH NCI AARP Phase I Pilot Study (APS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Yikyung Park
10. Provide an overview of the system: The APS is a web-based system that manages the data collection activities related to the completion of four web-based instruments that capture dietary, physical activity and health information. The APS allows for a respondent to consent and complete a self-enrollment process. Enrollment includes the collection of contact information. Upon successful enrollment, respondents are assigned instruments to complete and a schedule by which to complete. Access to the instruments is granted to respondent based on assigned schedule. Email, text messaging, and automated phone calls are generated to remind respondents of upcoming and overdue events.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII will not be shared nor disclosed. This collection is covered under System of Records Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Respondents will be asked for their name, email address and phone numbers as part of the study conduct to send reminders of upcoming events via outgoing automated outgoing phone calls, cell phone text messaging and email. Respondents can opt-out of cell phone text message and automated phone call reminders.
Phone numbers are also collected for use of providing support to study respondents.
Date of birth is collected to verify enrollment criteria (>50 yrs of age) as well to characterize respondent when determining aggregate response rates.
Race, ethnicity, and state are also collected to characterize respondent.
Social security number is collected for a subset of the respondents in order to determine the response rates and the likelihood in any main study of being able to link to cancer and other health registries for endpoint analyses.
The following fields are required:
Gender, OMB race category(ies), ethnicity, first and last names, mailing address, email, and social security number for a subset of respondents.
Participation is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The scope of the feasibility study is limited and there are no plans to make any major changes to the system. In the event of any changes that impact PII, respondents will be notified via email of a change and be directed to log into their APS account for details or contact the APS helpdesk.
The consent text included in the system specifies what PII is being collected and how it will be used or shared. Additionally, the systems includes frequently asked questions (FAQS) that further explain how IIQ information is stored and will be used.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following classes of controls are in place to protect the APS and respondent PII: access such as user account management, access enforcement, password strength, least privilege concept, session termination; security awareness and training; audit and accountability; configuration management; contingency planning; identification and authentication for users, devices; incident response including training, testing, monitoring; timely and controlled maintenance; media protection; physical and environment controls such as id badges, physical access authorization using access cards, key locks and cipher locks for building and room entry, monitoring, visitor control, emergency power, and shutoff, disaster protection and recovery; system security plan; personnel security; rules of behavior; risk assessment planning, monitoring, update; technical and communication protection including denial of service protection; boundary protection, programmable firewalls, transmission integrity; security certificates, encryption, regular virus detection and monitoring; policies and procedures are in place for each family control class
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI ABCC Laboratory Information Management System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Advanced Bioinformatics Computer Center Laboratory Information Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jin Chen, Building 430 - FCRDC, 226,1050 Boyles Street, Frederick, MD, Phone: 301-846-5549
10. Provide an overview of the system: The ABCC LIMS is a bio-informatics analysis tool in the ABCC (Advanced Biomedical Computing Center). It is a web based single server application hosted by the ABCC-IT Infrastructure and residing in that data center.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: LIMS collects sample, inventory, parameters and data file used or generated in work flow. LIMS also uses project and client information from CSAS system for enterprise cross system integration purposes, where client information includes federal contact data. LIMS also holds lab user email address for identification purposes. Submission of federal contact information is voluntary. Information does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI AdEERS Filing System (AdEERS FS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: To be obtained
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: To be obtained
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NIH NCI AdEERS Filing System (AdEERS FS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jan Casadei
10. Provide an overview of the system: The purpose of the CTEP AdEERS Filing System is to collect, store, manage and report expedited adverse events related data. The data collected is stored in hardcopy format in secure filing systems as well as secure Electronic Filing Systems operated by NCI CTEP contractors managing this process. Expedited adverse event information is reported to FDA as required in accordance with FDA regulations and guidelines.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): AdEERS FS shares and discloses adverse events related information on NCI sponsored clinical trials with FDA, NCI Investigators and Pharmaceutical sponsors in accordance with federal regulations and guidelines. Most of the information that AdEERS FS collects and shares in publicly available elsewhere.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority is the Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.).

The types of data collected are scientific and health data about cancer clinical trials, including clinical and pre-clinical data with associated regulatory and administrative supporting information.

AdEERS FS collects clinical trials data including study information, submitter/reporter information, principal investigator information, treatment assignment, relationship of events to treatments, time of resolution of events, narrative description, events that occurred and their grading and attribution, primary source documents that provide clinical information on the patient’s evaluations and course of treatments and hospitalization, etc. Additionally, name, mailing address, phone number and email are also collected and maintained.

The information is used to assure patient safety, for scientific decision making, drug distribution, regulatory oversight (i.e., investigator registration, trial audits, etc.), and to facilitate administrative operations.

NCI Investigators who participate in NCI sponsored clinical trials submit their information to CTEP in a signed Investigator Registration (IR) packet. This investigator registration packet, along with additional cover letter, explains to the investigators intended purpose and usage of their information.

Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials sign an informed consent.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All patients sign informed consent forms prior to enrollment on study. Informed consent forms are obtained in compliance with OHRP/IRB and ORI regulations.

AdEERS FS shares and discloses adverse events related information on NCI sponsored clinical trials with FDA, NCI Investigators and Pharmaceutical sponsors in accordance with federal regulations and guidelines. Most of the information that AdEERS FS collects and shares in publicly available elsewhere.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data in AdEERS Filing System is protected via Administrative, Technical and Physical controls. Hard copy documents are filed in the secure filing cabinets behind locked door in a secure environment with restricted access to the facilities. Only select authorized staffs are allowed to access the hard copies. Access logs to hard copy documents are maintained. Access to data stored in the Electronic Filing System is through password protection account. The Server on which the Electronic Filing System is hosted is maintained in secure facilities.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Advanced Biomedical Computing Center (ABCC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-15
7. System Name (Align with system Item name): NCI Advanced Biomedical Computing Center ABCC
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jack R. Collins
10. Provide an overview of the system: The mission of the Advanced Biomedical Computing Center (ABCC) is to provide high performance computing for the National Cancer Institute, both for its intramural and extramural scientists.
Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected consists of name, work phone number, work address, and work e-mail of government employees. This is collected when people sign up to take a class on how to use the ABCC. None of the data collected is information subject to the Privacy Act
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in this system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Advanced Biomedical Computing Center IT Infrastructure [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Advanced Biomedical Computing Center IT Infrastructure
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gregory Warth, Building 430 - FCRDC, 234, 1050 Boyles Street, Frederick, MD, Phone: 301-228-4376
10. Provide an overview of the system: The ABCC data center is a 3800 SQFT facility capable of handling 310KW of equipment house in a secure space accessible only by swipe card where every transaction is recorded. The NCI-Frederick network is part of and attached to the NCI network via a Firewall. All network, service, storage, and other nodes are under change control and comply with FDCC and NIH’s minimum standard security configurations. There are approximately 5000 workstations and 800 servers attached to the network.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system consists only of infrastructure. All information is housed within applications that the infrastructure supports.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) System contains no PII data
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not contain PII data
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Agricultural Health Study --Westat (AHSW)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0406
6. Other Identifying Number(s): AHSW
7. System Name (Align with system Item name): NIH NCI Agricultural Health Study - Westat (AHSW)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Alavanja / Stanley Legum
10. Provide an overview of the system: The Agricultural Health Study is a collaborative effort involving the National Cancer Institute (NCI), the National Institute of Environmental Health Sciences (NIEHS), and the U.S. Environmental Protection Agency (EPA). The study has four major components:

1. The main prospective cohort study - cancer and non-cancer outcomes
a. linkage with cancer registries, vital statistics, United States Renal Data
System (USRDS)
b. ongoing data collection (i.e., telephone interview, food frequency
questionnaire and cheek cell collection
2. Cross-sectional studies - including questionnaire data, functional measures,
biomarkers, and GIS
3. Nested case-control studies
4. Exposure assessment and validation studies

The cohort includes 89,658 private pesticide applicators, spouses of private applicators, and commercial pesticide applicators recruited within Iowa and North Carolina. Phase I, initial cohort recruitment, began in 1993 and concluded in 1997. Phase II follow-up began in 1999 and concluded in 2003. The Phase III follow-up began in 2005 and concluded in February 2010. Phase I observation involved administration of a questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks (e.g. diet, exercise, alcohol consumption, medical conditions, family history of cancer, other occupations, and smoking history). Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II interviews are designed to record updated information on pesticide use since enrollment, current farming and work practices, and changes in health status. In addition, the Dietary Health Questionnaire in Phase II makes a detailed evaluation of subjects' cooking practices and dietary intake. The buccal cell collection of Phase II was implemented to assess the impact of genetic risk factors on epidemiologic outcomes. Phase III included two data collection components: a CATI interview and a buccal cell collection for selected members of the cohort. In addition to Phase II and Phase III data collection activities that include the whole cohort, a series of sub-studies involving a small number of study participants will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information Management Services (IMS - separately contracted by NCI - performs data analyses for NCI) National Death Index (NDI) - Annual match with NDI Plus files. Internal Revenue Service - to obtain updated address information. This system is also covered under the Privacy Act System of Records Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: AHS analytic data files do not contain direct identifiers such as name, address, or SSNs. PII is shared with NDI and the IRS when we are performing matches to NDI and IRS files. Contact information (name, address, phone number) are stored in anticipation of use in future substudies, cohort maintenance purposes (e.g., possible mailings of study update newsletters), and matching with state and national vital statistics and health registries.

The AHS has four major components:

1. Main prospective cohort study - cancer and non-cancer outcomes
a. linkage with cancer registries, vital statistics, United States Renal Data
System (USRDS)
b. data collection (i.e., telephone interview, food frequeny
questionnaire and cheek cell collection (no longer on-going)
2. Cross-sectional studies - including quesitonnaire data, functional measures,
biomarkers, and GIS
3. Nested case-control studies
4. Exposure assessment and validation studies

Three were also a series of sub-studies involving a small number of study participants that directly measured applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures. Additional substudies may be conducted in the future.

Participation is voluntary.

PII collected and maintained include name, date of birth, social security number, mailing address, phone number, and pesticide application certificate types.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There have been no major changes in the system and none are contemplated. Our IRB would review any major changes prior to implementation and provide us with guidance on any needed notification and consent requirements.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Extensive safeguards are in place to ensure the confidentiality of each subject is protected. Each subject is assigned a six-digit number; these IDs are used for any references to subjects on an individual basis. Names and other identifying information are kept in a separate database from the analytic files. These data are joined only for performing linkages to the mortality and cancer incidences databases and for direct contacts with cohort members to inform them of study progress or to request their participation in substudies. Several layers of passwords exist to ensure unauthorized access to electronically stored data is not permitted. Hard copies of questionnaires that contain any personal information have been shredded. Informed consent forms, which contain subjects' names and study IDs are stored in a secure facility separate from other study data. All personnel involved with the project have signed confidentiality agreements.

Files with PII are stored in a directory accessible only to the project's lead systems manager and one programmer. Data stored in the SQL Server contact database are protected with application level security and an additional password. Data stored in other file formats are encrypted when not in use and the encryption key is known only by the same two staff members. The files are never left in unencrypted form over night so that automatic backups contain only encrypted versions.

The system is protected by firewalls, intrusion detection systems, and passwords. There are comprehensive system security and contingency plans in place. An Incident Response capability is maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Automated Self-Administered 24-Hour Recall (ASA24)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Automated Self-Administered 24-hour Recall (ASA24)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Nancy Potischman
10. Provide an overview of the system: Self-reported dietary assessment methods are commonly used to measure food intakes for dietary surveillance, nutritional epidemiology, clinical and intervention research. We developed a 24-hour dietary recall that could be unannounced, automated, and self-administered to make feasible the administration of multiple days of recalls in large-scale epidemiological studies, surveillance sites, behavioral trials and clinical research. The format and design were modeled on the interviewer-administered Automated Multiple Pass Method (AMPM) developed by the US Department of Agriculture (USDA). The website collects information about subjects' diet for the previous day for extramural researchers doing epidemiologic or clinical research. There is no personally identifiable information collected on this site. The respondents are given a username and password by the NCI in order to gain access to the website. Participation in these studies are voluntary and nonparticipation has no impact on the subjects' care or involvement in other aspects of the studies.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The diet information collected provides a service for outside researchers and will not be used by the agency. The system does not contain PII and the information is provided by subjects on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Automated Self-Administered 24-Hour Recall (ASA24) Researcher Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Automated Self-Administered 24-Hour Recall (ASA24) Researcher Website
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Potischman
10. Provide an overview of the system: Researchers visit this website to gain access to the subjects' website (ASA24) for their research studies. The researcher will visit the site to provide lists of subjects' IDs with their dates for visiting the subjects' website and later will monitor their study and obtain the final data files of nutrients and foods consumed by each subject. Subject IDs are not linked to personal information at NCI. The Study ID is linked at the NCI to a username and password for each subject to gain access to the ASA24. The researcher provides their name, institution and email contact information as well as similar information for other staff with permission to visit the site on thier behalf. The researcher provides only institutional information not personal email and other contact information. Participation is voluntary.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information the researcher provides is institutional email and contact information. None of this information relates to personal information and is not shared with anyone outside of the ASA24 team. The Study ID, username and password information on respondents is not linked to any personal information. The username is linked to dietary information stored from the respondent 's reports while visiting the ASA24 website. Participation by the researcher is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Biospecimen Research Database/Biospecimen Research Network (BRD/BRN)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight 
1. Date of this Submission: 9/13/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): Not applicable
5. OMB Information Collection Approval Number: Not applicable
6. Other Identifying Number(s): Not applicable
7. System Name (Align with system Item name): NIH NCI Biospecimen Research Database/Biospecimen Research Network (BRD/BRN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Andrew Breychak/Ian Fore (owner)/Ajay Nalamala/Amit Srivastava
10. Provide an overview of the system: The Biospecimen Research Database (BRD) is a searchable public data repository of published papers and studies collected from PubMed that have been consistently annotated for the purposes of biospecimen science. As of June 1, 2011 there are approximately 1,140 records (each record representing a study). There are 1 system administrators and 3 curators who have access add/edit/delete the data using a secure web curation interface.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not applicable; no PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) No information collected, records maintained are published papers & studies gathered from PubMed, currated, and disseminated (no contact data)
2) NCI-OBBR uses this information to disseminate currated information about existing published papers & studies where significant findings for biospecimen science have occured
3) This information and application contain NO PII
4) Submission of personal information is NOT required and therefore neither voluntary nor mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not applicable; no PII is collected or disseminated.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not applicable; No PII is collected, stored, or disseminated by this system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/21/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI California Health Interview Survey (CHIS) Information Technology System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0598
6. Other Identifying Number(s): N02-PC-54400
7. System Name (Align with system Item name): California Health Interview Survey (CHIS) Information Technology System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Breen - NCI /Sansan Lin - UCLA
10. Provide an overview of the system: The California Health Interview Survey (CHIS) is a population-based random-digit dial telephone survey of California's population conducted every other year since 2001 by the UCLA Center for Health Policy Research (UCLA-CHPR). UCLA-CHPR has the lead responsibility of managing the survey, preparing, maintaining, and disseminating the CHIS data files, reporting the survey findings, and disseminating the survey results. All CHIS confidential data files are maintained at the Data Access Center (DAC). No PII is contained with the CHIS confidential data files. The Data Access Center is designed to provide access to CHIS confidential files in a secured, controlled environment that protects the confidentiality of respondents.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: All data received by UCLA-CHPR is in the de-identified form with all personal identiers removed. All research participants provide verbal consent to participate in CHIS. The verbal consent script for each CHIS survey is approved by the UCLA Institutional Review Board and the California Health & Human Services Committee for the Protection of Human Services. The consent script informs respondents about the voluntary and confidential nature of the survey and assures them that their individual answers would not be linked to their identity or disclosed. There is no PII in the system. All data is given voluntarily by respondents.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Data System Web
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 9/13/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Clinical Data System Web
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christo Andonyadis
10. Provide an overview of the system: CDSWeb is proprietary software used by NCI clinical trial sites to report clinical trial administrative data, accrual and adverse events. Users of the CDSWeb system enter study administrative data, participant demographics data and optionally, adverse event data. This data can be entered throughout the course of the study but must be submitted at the end of each quarter. Once the data is processed and accepted by CTEP-ESYS, the finalized dataset is stored in the CTEP database, which is a system separate from CDSWeb.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) The data collected is basic demographic data, treatment course data and adverse event data. The data is de-identified and does not contain PII.
2) This data is collected to monitor, evaluate and administer clinical trials.
3) CDS Web does not contain any PII.
4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1) N/A
2) N/A
3) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/26/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Trials Monitoring Service (CTMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: In Process
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Clinical Trials Monitoring Service (CTMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gary L. Smith
10. Provide an overview of the system: The Clinical Trials Monitoring Service assists the Cancer Therapy Evaluation Program in fulfilling it’s responsibilities to the FDA by providing: 1). a centralized protocol patient data capture and quality control review system for clinical investigators conducting phase 0, phase 1 and selected phase 2 clinical trials. 2). an on-site auditing resource for phase 0, 1 and selected phase 2 clinical trials 3). a mechanism for assuring compliance with Clinical Trials Monitoring Branch (CTMB) Guidelines for Monitoring Clinical Trials for Cooperative Groups, Community Clinical Oncology Program, and Cancer Trials Support Unit via a co-site visitation process. 4). The DCTD that Cancer Centers and single institutions participating in clinical trials utilizing DCTD sponsored IND agents/funds are in compliance with federal regulations, and NCI policies and procedures. 5). A mechanism to provide administrative and audit support to international groups/institutions collaborating with DCTD to ensure compliance with Good Clinical Practices.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): CTMS shares data with DCTD for oversight and monitoring of clinical trials. Data from CTMS is downloaded into the Clinical Data System, a component of the CTEP-ESYS.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: CTMS collects contact information of investigators or research staff for the purpose of correspondence related to the conduct of NCI sponsored clinical trials. Most of the information that CTMS collects is non-IIF , and is publicly available elsewhere. CTMS doesn’t require or collect IIF from investigators or research staff, but they may submit IIF unintentionally (such as home address, personal email accounts, etc.).

CTMS does collect patient information related to birth date (mm/dd/yy). This information is needed to ensure protocol eligibility requirements are met. Collection of any IIF related to patients participating in NCI sponsored clinical trials that CTMS may inadvertently receive in paper format is not accepted at CTMS and is returned to the institution to be redacted to ensure patient privacy and confidentiality. CTMS stores patient data in de-identified format.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) CTMS collects protocol patient data. All the data is de-identified and would not fall into the category of IIF. If IIF is accidentally submitted, which rarely occurs, it is CTMS policy to return it to the submitting institution for de-identification. The only data item that may be considered IIF is the patient’s/participant’s birthdate. This data element is used (particularly for pediatric patients) to ensure that protocol specified eligibility criteria relating to age restrictions are adhered to. Patients/participants are informed and sign an informed consent acknowledging that data will be collected as part of their participation in a clinical trial. The data is collected at the research institution (covered entity) and transmitted via electronic data capture system, to CTMS.

CTMS collects information on NCI Investigators in order to perform their responsibilities for oversight and monitoring of clinical trials. The information includes investigator name, address, email address and telephone number. This information is often collected through other CTEP systems, such as Investigator Registration System Filing System or CTEP-ESYS and transmitted to CTMS. Investigators are aware of the need to collect such data as part of the 1572 process required for all investigators. The information is used for correspondence purposes, reimbursement of outside physicians participating in Cancer Center Site Visits, and other activities in carrying out CTMS’s mission. This data is used for internal administrative purposes only such as site visit attendance, travel arrangements, hotel bookings and follow-up correspondence with the specific individual. It is not released to any outside entity.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: CTMS data is maintained in a secure database.

The following are in place as Administrative Controls:
· Personnel Security
· Background Investigation Process for all personnel working on CTMS
· CTMS Hiring and Termination Process
· Theradex Non-Disclosure Agreement for all CTMS employees working on CTMS
· Annual requirement by employee to take NIH CIT Security Awareness Training
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Contingency /Disaster Recovery Plan
· Incident Report Procedures

The following are in place as Technical controls for CTMS:
· Identification and Authentication
· User Account Management Process
· Role based user access to systems
· Password Change Policies
· Procedures for handling lost/compromised passwords
· Audit Trails
· The CTMS application is hosted within Theradex Network boundaries and is protected by Theradex-provided Perimeter Firewall and Intrusion Detection Systems
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Incidence Response Procedures
· System and Database Audit Trails and Logs

The following are in place as Physical controls for CTMS:
· Physical and Environmental Protection
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· AC Maintenance Process
· Alerts and Scans
· Back-up Generator
· Alarmed Server Room
· Limited access Server Room
· Isolated Servers
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Consortia Data Transfer Website (CDT)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI Consortia Data Transfer Website (CDT)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is alternate POC)
10. Provide an overview of the system: The DCP Consortia Clinical Data Transfer (CDT) Website is an Internet web portal that provides DCP and Consortia clinical data management staff with access to study-specific SAS datasets and reports of clinical data entered in DCP OC-RDC. It also provides a platform to publish any network announcements and/or updates regarding DCP Consortia clinical data management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is present in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Type of data available in CDT include adverse events, agent information, discrepancies reports and Non-IIF participant level data. The CDT Website is designed for the users from seven different clinical sites as well as DCP and Westat. Each site has an individual user content area from which the approved users can access and download the study-specific datasets and reports and view user profiles.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is present in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is present in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Continuation of Follow-up of Des-exposed Cohorts - IMS
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: Clinical exemption applied for, no ID number assigned yet
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Continuation of Follow-up of DES-exposed Cohorts
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Robert Hoover
10. Provide an overview of the system: The National Cancer Institute (NCI) Combined DES Cohorts Follow-up Study is a nationwide research study following more than 21,000 women and men to learn as much as possible about the long-term health effects of DES exposure. The NCI study is the largest ongoing research study on long-term health and DES exposure. Five research centers in the United States carry out the DES Follow-up Study, coordinated by NCI. Leaders in DES research and education are responsible for the study and are dedicated to increasing scientific and medical knowledge about DES exposure. The research team includes physicians, epidemiologists, researchers, and DES advocates and educators.

IMS provides data management and analytical support for the DES followup . The support includes statistical analysis, creation and manipulation of analysis files, graphics generation, and reporting for analytical projects. The tasks covered under this PIA include:
· Assist in the design of statistical analyses and reports.
· Design and create analysis files.
· Program analyses using SAS software.
· Quality Control of data and reports.
. Document the data elements and project requirements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): DES Study Center Principal Investigators can view the data for research purposes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The PII collected and stored in the system may include:
· Date of Birth
· Date of Death
· Date of Last Contact
· Vital Status
· Gender
· Cancer Diagnosis

The data are used to investigate the relationship between DES exposure and health outcomes.

Collection of this information is a voluntary process, as part of the study followup. This information will be used for analysis and reporting purposes.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) For this study, completing a questionnaire is voluntary. They have the option to refuse participation or complete the questionnaire. If medical records or tissue slides are necessary for disease confirmation, participants are sent a consent form with a written explanation of the purpose of the additional data. For the questionnaire, options are provided to refuse to participate in a single follow-up or to decline all future participation. Participants can contact study centers via phone, mail, or email, and through these contact options, participants can ask the study sites to have their data expunged from the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The PII will be secured in a similar fashion to that of other data stored in the system. Briefly, security measures include:

System Monitoring
Automated audit trails are monitored on all server-based systems deployed at IMS. Audit records and server logs will be reviewed daily for anomalies. An automated reporting tool will be used to analyze the server logs to look for abnormal activity. Automated audit trails also play an important part in governing the access granted to users outside the Contractor’s Local Area Network (LAN). A firewall is in place that logs all incoming and outgoing connections to the LAN. This includes connections to the UNIX/Linux workstations and the Windows servers. This log will be maintain and checked for evidence of attempted unauthorized access to the Contractor’s LAN.

Computer Center Administrative and Physical Safeguards
IMS’ Standard Operating Procedure (SOP) for Computer Resource Security details the standards and processes used to ensure the security of the computer resources and data. All IMS employees will be required to read and follow this SOP.

IMS’ computer center has facilities in Silver Spring, MD and in Sterling, VA. The Sterling, Virginia site will be used for production services that require 24/7 accessibility. This site has personnel on site 24-hours a day in a facility that requires a key card and fingerprint for access. The facility also provides protection against fire and flood with highly sensitive monitoring equipment. Generators are available to provide continuous electricity in case of a main power failure.

The Silver Spring computer center is in a separate office with a key coded access lock. Each person authorized to access the computer center has a personal ID and password that must be entered each time the door is opened. A log of any attempt to enter the computer center is maintained. This log is routinely reviewed to identify any potential security risks. Visitors are never allowed into the computer center at either site. Maintenance and repair personnel will be escorted into the computer room and then monitored until all work is complete.

IMS employs firewalls with Intrusion Detection capabilities to secure the network perimeter. The firewalls are continually monitored. Reports are distributed to authorized administrators twice daily for their review. Computer center staff performs weekly security checks using Security Auditor's Research Assistant (SARA), a third generation UNIX-based security analysis tool. IMS routinely reviews the security check results and rectifies any identified potential security vulnerabilities.

Registration of authorized users on IMS’ Network is controlled by the IMS system administrator. To enter the network, the user must have an authorized user ID and a password which must be changed every 60 days. Network privileges are established which set access rights and restrictions to network resources. Access privileges to sensitive data and operating systems within the network is controlled by user ID. Authorized users have specific levels of access, such as "read only" or "read and write".

Use and disclosure policy
As part of IMS’ employee orientation, each new employee reviews an overview of security policies and guidelines for IMS. Each new employee is required to sign a confidentiality agreement and complete the on-line NIH computer security and privacy awareness training courses. The confidentiality agreement requires that no data be released without the written authorization of the owner. In addition, the on-line NIH computer security refresher course will be completed annually by all employees.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Continuation of Follow-up of DES-exposed Cohorts - Westat
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): SORN 09-25-0200
5. OMB Information Collection Approval Number: Clinical Exemption-02-01-04
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH DES Follow-up Study Coordinating Center Management Systems
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Robert Hoover
10. Provide an overview of the system: The DES Follow-up Study Coordinating Center Management System maintains participant information to support activities conducted for the Principal Investigators and staff at the study centers. Support activities include tracking the receipt of data collection forms during Follow-Ups, coordinating the review of pathology slides, coordinating submittals for National Death Index searches, coding of medical records and death certificates, receiving results from cancer registry searches, providing study status reports, and monitoring data for quality control.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII is disclosed to the National Center for Health Statistics (NCHS) for National Death Index (NDI) searches .
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Participants provided their name, mailing address, phone number, date of birth, and social security number to the specific study center which enrolled the participant. Participants may also provide to the study centers race, ethnicity, email addresses and updates to addresses and phone numbers during follow-ups or when contacted for other reasons. PII was voluntarily provided by participants after study consents were signed. Names and contact information are maintained by the individual study site which enrolled the participant and this PII is not disseminated to the other study sites. The study sites may send PII to the coordinating center for a specific purpose (e.g., a NDI search.) The coordinating center destroys contact information after the task is completed. Participants can decline future participation at anytime through phone calls, emails or letters to the study centers.
PII is disclosed to the NCHS for a NDI search.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Participants signed Consent Forms upon enrollment and if contacted for a Follow-up they are given a written explanation of the purpose of the follow-up. Providing any information is voluntary for this study. Options are provided to refuse to participate in a single follow-up or to decline all future participation. Participants can contact the study centers via phone, mail, or email to decline participation.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following classes of controls are in place to protect the participant PII: access control including user account management, access enforcement, password strength, least privilege concept, session termination; security awareness and training; audit and accountability; configuration management; contingency planning; identification and authentication for users, devices; incident response including training, testing, monitoring; timely and controlled maintenance; media protection; physical and environment controls such as id badges, physical access authorization using access cards and keyed locks for building and room entry, monitoring, visitor control, emergency power, and shutoff, disaster protection and recovery; system security plan; personnel security; rules of behavior; risk assessment planning, monitoring, update; technical and communication protection including denial of service protection; boundary protection, programmable firewalls, establishment of network zones with varying levels of restrictions; transmission integrity; security certificates, encryption, regular virus detection and monitoring; policies and procedures are in place for each control class.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCEG Intramural (DCEG)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4926-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-17
7. System Name (Align with system Item name): NCI DCEG Information System (Intramural)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: This system allows the users in the Division of Cancer Epidemiology and Genetics (DCEG) to analyze costs of scientific studies and provide more efficient and accurate reporting to both NIH and NCI. Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Work-related information is used from other systems. This includes name, work address, e-mail address, and phone number for government employees. A limited amount is entered by staff. This includes such things as research title, research description, lead investigator, collaborators, risk factors, study type, cancer sites, research category, common scientific outlne coding, keywords, and study population accrual. Information is then available for dissemination about the research within NCI and to the NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII collected
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCP Collaboration Repository (DCPCR)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI DCP Collaboration Repository (DCPCR)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is alternate POC)
10. Provide an overview of the system: The DCPCR provides the means for DCP and its contractors to centralize the management of project collateral. It serves as a single point of access from which DCP and its contractors can obtain and share timely and accurate DCP enterprise information in an organized environment. Documents are posted to topic-specific content areas to which user access is authorized by DCP based on user role/function within DCP or a DCP contractor organization.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): DCPCR information is shared with the Food and Drug Administration (FDA) to fulfill regulatory requirements. However the FDA does not interface directly with DCPCR. The IIF is under SOR 09-25-0200 Clinical, Basic, and Population-based Research Studies of the National Institutes of Health (NIH), HHS
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: DCP collects researcher's name, date of birth, mailing address, phone numbers, financial information, education records and military status in order to identify, review and approve individuals to conduct NCI DCP clinical trials.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Personally Identifiable information (PII) is provided to fulfill regulatory requirements and is for internal DCP use only.

Investigators provide PII using the FDA 1572 form and required supporting documentations (e.g., CV, financial disclosures, medical licenses, etc…). The 1572 form is signed and submitted by the investigator with the understanding that DCP will use and disclose PII information as needed to fulfill its regulatory requirements.

FDA tasks DCP with maintaining these documents to fulfill responsibilities as sponsor of clinical research trials.

Investigators can withdraw the consent provided by the 1572 but then they can no longer participate in the study. As FDA, no investigator may participate in an investigation until he/she provides the sponsor with a completed, signed Statement of Investigator, Form FDA 1572 (21 CFR 312.53(c)).

Changes are communicated at the time they are identified per DCP SOPs.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls includes SOPs, policies and guidelines. Technical controls includes user identifiction and authentication, an Intrusion Detection System, logon warning banners, the concepts of least privilege and firewalls. Physical controls include server room, proximity card entry, an automatic fire suppression system and surveillance video. This system falls under System of Records Notice 09-25-0200.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCP Enterprise System Knowledgebase (DESK)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4903-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-45
7. System Name (Align with system Item name): NIH NCI DCP Enterprise System Knowledgebase (DESK)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anne Tompkins / Troy Budd
10. Provide an overview of the system: DESK is an enterprise database with a suite of applications that support the scientific and administrative work of the NCI Division of Cancer Prevention (DCP) and its mission. Specifically, the DESK is used to document, track, monitor and evaluate DCP clinical research activities. DESK enables DCP to collect, analyze and report adequate clinical trials data to fulfill NCI, NIH and DHHS requirements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is present in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Type of data available in DESK include protocol attributes, site and investigator contact information, agent information, IND records, adverse events, site audit reports, and non-IIF patient level data. The information is critical to track the receipt, abstraction, review, approval and implementation of clinical trials; it is also used to facilitate administrative operations (including reporting), support scientific decision making, regulatory oversight, and future planning of clinical trials.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is present in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Bruce Woodcock
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCTD Developmental Therapeutics Program (DCTD DTP)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-22
7. System Name (Align with system Item name): NIH NCI DCTD Developmental Therapeutics Program (DCTD DTP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Daniel Zaharevitz
10. Provide an overview of the system: This is the NCI DCTD DTP Program website.
The main function of the DTP web site is to provide the research community with access to DTP data, policies and procedures. The data include over 250,000 chemical structures, growth inhibition data in human tumor cell lines for over 40,000 compounds, gene expression data measured in human tumor cell lines, results in mouse tumor models for over 100,000 compounds and much other data. Almost all of this data is freely available to all and no registration is required and no personal information is collected. The exception is for people who wish to submit compounds for testing. They must register and personal information necessary to contact them is collected (name, address, phone, email).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, PART C, subpart 1, Sec.285, Sec. 285a, and 44 U.S.C. 3101. General Program and support information for grantees and clinical trial personnel. Workplace contact information is collected for users that wish to submit compounds for screening. No IIF is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF, however investigating partners are emailed notification of use of information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. We have business contact information with business partners.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI DEA General Support System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Division of Extramural Activities (DEA) General Support System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Greg Fischetti
10. Provide an overview of the system: The NIH NCI DEA General Support System provides multiple applications for DEA and NCI staff which support the business processes involved with the referral and review of contract proposals and grant applications, concept tracking and reporting for the Board of Scientific Advisors, management of the National Cancer Advisory Board, and coordination of the National Advisory Act by the Committee Management Office.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NIH NCI DEA General Support System provides multiple applications for DEA and NCI staff which support the business processes involved with the referral and review of contract proposals and grant applications, concept tracking and reporting for the Board of Scientific Advisors, management of the National Cancer Advisory Board, and coordination of the National Advisory Act by the Committee Management Office.
BSA: Concept/Program/Funding Opportunity meta data and approvals

CATS: Workflow and Concept meta data
CI: Offeror Name, Org. Evaluation Criteria, Meeting data
DOCS: Meeting Roster including names, degrees, grant applications, staff phone & email, standard per diem raters
ES: NCI staff Name, userId, title, org., office, phone, fax, email, classes, course attendance
FOAE: Workflow and FOA data
FOAR: FOA data, Application data, Application funding data
GL: Dictionary terms
IRG: Application data, Review recommendations and scoring
PC: Grants and contracts are coded by NCI staff to allow categorization of research dollars. The information about Principal Investigators is their person ID, name, and degree.
PRS: Meeting data, meeting roster, application data, review scores
REVCD: Application data, meeting data, meeting roster, FOA data, review guidelines, summary statements, application supplemental material, conflict of interest data
RPDU: Application data, PI name and institution, application

The DEA GSS processes only federal contact data. No PII is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A - No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A - No PII In the System.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Early Detection Research Network (EDRN)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Early Detection Research Network (EDRN)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christos Patriotis
10. Provide an overview of the system: Public face of EDRN, a project of the Cancer Biomarkers Research Group of the Division of Cancer Prevention of the National Cancer Institute. The EDRN site provides information for the general public and prospective members about EDRN research, cancer detection, and funding opportunities. EDRN members may log in to gain further information including science data and information on unreleased biomarkers.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Federal contact data is solely contained within the system and is generally available elsewhere through other applications and channels (such as institution/university staff directory). The purpose of repeating such information within the application is to simplify accessibility for EDRN research partners. There is no information gathered from the public. There is no public PII in the system. Submission is entirely voluntary. Information includes EDRN member name, job title, work email address, departmental home page URL, institution mailing address, institution telephone and fax number, and institution online directory photograph.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system. Authorized personnel have physical access to server but may only access hardware. Digital information restricted to internal hard drives.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI e-Grants/web-Grants (e-Grants)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4930-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-38
7. System Name (Align with system Item name): NCI e-Grants/web-Grants
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Dunne
10. Provide an overview of the system: The eGrants/web-Gran­ts provides online access over the web to the official grant files including the ability to search for particular grants or documents.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The name and contact information is shared with the NIH IMPACII system. Other information is not shared. Sharing is done in accordance with SOR 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Authority for collection of this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. IIF contained in this system consists of the following information about grantees: name, social security number, mailing address, telephone number, financial information, e-mail address, education records, and a notice of grant award. This is information is maintained as part of the grants management system. The majority of this information is not shared outside of NCI. The name and contact information is shared with the NIH IMPAC II system. Information is submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no process in place to notify individuals in the event of major changes to system.

The grantees submit their information voluntarily and are made aware that it will be used in the grant funding process.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Employee Database Internet Edition
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bob Barber
10. Provide an overview of the system: EDie is a web-based application that allows institutes to accurately maintain individual employee, contractor, and volunteer information, as well as plan for, monitor, and report on workforce staffing levels.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal senior administrative use only and will not be shared with other entities. Refer to SORN 09-90-0018.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie is a web-based application that allows institutes to accurately maintain individual employee, contractor, and volunteer information, as well as plan for, monitor, and report on workforce staffing levels. All information collected is pertinent to a personnel file and represents only federal contact data. The EDie system does contain PII data as described in question 17 of the PIA. There are many uses for this information: (a) tracking a time-limited appointment to ensure renewals are done in a timely manner thereby avoiding any break in service; (b) ensuring that allocated FTE ceilings are maintained; (c) ensuring salary equality for various hiring mechanisms; (d) the ability to provide reports requested by the NIH Director; (e) maintaining lists of non FTEs, special volunteers, contractors, etc. Information is mandatory at time of hire.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is collected from documents provided by employees (CV, resumes, etc.) at the time of appointment; it is provided in personnel packages submitted through channels in order to effect a hire. This information is put into Capital HR and Fellowship Payment System (FPS) and subsequently downloaded into EDie. Individuals are notified of the collection and use of data as a part of the hiring process. Changes to the system or use of the information is relayed to employees via official notices from HR and the system owner.
1) N/A: EDie is not the point of original collection of this data.
2) EDie is a reporting system which inherits PII data from other official HR systems. Currently, no users have access to SSN, DOB, Home address thru the EDie application.
3) We do not expect any significant changes to the system functions related to PII; If this happens, HR and the system owners will notify all affected employees electronically (e-mail).
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited on need to know basis. Each user signs a security statement and received a password. Any violations result in loss of access to system. Information is also secured by separation of duties, and intrusion detection system, firewalls, locks and background investigations. A comprehensive IRT capability is also maintained. This systems falls under System of Records Notice 09-90-0018.

EDie employs access control policies (NIHNet single sign-on) and access enforcement mechanisms (access control lists) for authentication. Additionally, access enforcement mechanisms are employed at the application level in the form of user assigned groups to further increase security within EDie. Each group has different access privileges. Access can be restricted by content and organization.

From a Physical Access perspective, the Executive Boulevard building is accessible to the public during regular business hours. There is one security guard on duty during regular business hours (8:00 AM -6:00 PM weekdays). The guard is retained by NCI to make frequent foot patrols of the entire building and surrounding areas (including the basement and garage), and one security guard desk at the entrance to the building. Due to the shared roles of offices housed in the building, it is not possible to verify that all NIH visitors to NCI offices have a proper NIH ID badge, or to require non-NIH visitors to sign a visitor log and be escorted. There is an administrative assistant stationed inside the front door of the NCI offices during regular business hours.

There is a guard on patrol duty through midnight on weekdays. Access to the building and elevators is restricted by access card on nights and weekends. Cardkeys, cipher locks, and/or keys are required for access to the NCI suites, the computer room, and rooms containing communications equipment. Access to the computer room and rooms containing communications equipment is limited to a small number of personnel.

Departing employees and contractors are required to turn in their identification badges, cardkeys, and keys as part of the exit process. NCI Administrative Officer is responsible for the control and return of keys and the reporting of stolen keys. NCI Cardkey Coordinators are responsible for the control and return of cardkeys and the reporting of lost/stolen cardkeys.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Enterprise Services and Clinical Trials Reporting Program
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0600
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCI Clinical Trials Reporting Program (CTRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jose Glavez, MD
10. Provide an overview of the system: The Clinical Trials Reporting Program (CTRP) is a web-based program to submit data about cancer-related clinical trials and to search for data concerning cancer-related clinical trials. The CTRP system is an electronic resource that is intended to serve as a single, definitive source of information about all NCI-supported clinical research. Deployment of this resource will allow the NCI to consolidate reporting, aggregate information and reduce redundant submissions. Information will be submitted by clinical research coordinators as designees of clinical investigators who conduct NCI-supported clinical research.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Only designated, appropriate NCI program and administrative employee and contractor staff will have full access to the data within the CTRP Database for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to those with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training

Individual submitters to the CTRP Database will have full access to information they have submitted.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) Clinical investigators are requested to provide their professional contact information, including name, business mailing address, business phone numbers, and business e-mail address. In addition, clinical investigators and/or study coordinators are requested to provide the following elements for study subject accrual information:

• submission title
• submission cut-off date (MM/DD/YYYY)
• description
• study subject ID
• study subject birth date (MM/YYYY)
• study subject gender
• study subject race
• study subject ethnicity
• study subject zip code
• study subject country
• registration date (MM/DD/YYYY)
• study subject method of payment
• disease
• participating site name

(2) The information is collected for purposes of portfolio management, compliance with regulatory and administrative reporting obligations and appropriate dissemination of cancer research information to the public. The information will be made available to designated, appropriate NCI employee and contractor staff for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access to PII will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training.

(3) The information contains the following PII: study subject birth date (MM/YYYY), study subject gender, study subject race, study subject ethnicity, and study subject zip code. Although CTRP uses a Study Subject ID to identify an accrual record on a given study, this ID is not linked to information concerning a study subject.

(4) Submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) NCI will post written notices on the web site portal for the CTRP system to inform clinical investigators/research coordinators of:

(1) major changes that occur to the CTRP system that affect disclosure and/or uses of PII in the CTRP system;
(2) changes in the type of PII to be collected from study subjects; and
(3) any changes to how PII is used or shared (from current practice of making PII collected from study subjects available only to designated, appropriate NCI employee and contractor staff on a “need to know” basis for purposes of portfolio management and compliance with regulatory and administrative reporting obligations).
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The PII will be secured by management, operational, and technical controls. Some of these controls include user identification and authentication, the concept of least privilege, and firewalls. Infrastructure product, username and password, annual risk assessments, background checks on administrative employees, key locks and keycards necessary to enter server rooms.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Enterprise Vocabulary System (EVS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4920-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-29
7. System Name (Align with system Item name): NIH NCI Enterprise Vocabulary System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gilberto Fragoso
10. Provide an overview of the system: NCI Enterprise Vocabulary Services (EVS) provides resources and services to meet NCI needs for controlled terminology, and to facilitate the standardization of terminology and information systems across the Institute and the larger biomedical community.
Two key terminology resources are produced and published by EVS:
NCI Thesaurus is a reference terminology used in a growing number of NCI and other systems. It provides rich textual and ontologic descriptions of some 50,000 key biomedical concepts.
NCI Metathesaurus is a comprehensive biomedical terminology database, connecting 2,500,000 terms from more than 50 terminologies, including some propriety vocabularies with restrictions on their use.
EVS is a partnership between the NCI Office of Communications and the NCI Center for Bioinformatics. It is a key component of the cancer Common Ontologic Resource Environment (caCORE) and the cancer Biomedical Informatics Grid (caBIG), and is used in the NCI Web Portal and Physician Data Query (PDQ) cancer information services.

A new wiki-based component of the EVS system is being constructed to facilitate collaborative vocabulary development with NCI partners.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The new wiki-based application allows end-users to create web pages to share with other end-used of the system. The end-users might do this to add additional contact information that they wish to share with other end-users, as the purpose of the wiki-based application is to foster collaborative development of vocabularies to be served by the EVS. The professional/business information is not observable by non-registered users of the application.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. The system collects the end-user's email address.
2. The information is collected so that password information can be automatically sent on request by the end-user.
3. No other PII other than the email address is required for a person to register.
4. Entering this information is mandatory for end-users of the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. Notifications will be posted on the wiki-based applications home page, as well as advertised on a listserv. 2. The nature of the information collected from end-users will be posted in a privacy notice on the web site, as well as 3. the use which the EVS will make of this information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to raw data will be controlled through file permissions, database roles and user groups. Files will be backed up regularly and stored off site. User access with write permissions will be credentialed (username/password), and internet access will be protected by a firewall, and encryption used where necessary (login through https). The production servers are physically secured, in facilities operated by NCI/CBIIT.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Environmental and Genetic Lung Etiology (EAGLE)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): NCI-80
7. System Name (Align with system Item name): NIH NCI Environmental and Genetic Lung Etiology (EAGLE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anand Basu
10. Provide an overview of the system: Environmental and Genetic Lung Etiology (EAGLE) is an interdisciplinary multi-center case-control study of lung cancer conducted in Milan, Italy, designed to explore the genetic determinants both of lung cancer and smoking. The objectives of the EAGLE study, as identified by DCEG, are as follows:

· Perform genetic profiling of study participants by 15STR markers
· Conduct analysis of gene expression in adenocarcinoma lung cancer tissue of smokers and non-smokers
· Identify histologic characteristics of lung cancer in relation to genotype, gene expression, somatic mutations, and smoking
· Monitor therapy efficacy and survival of lung cancer patients
· Identify lung cancer-affected siblings of cases and the unaffected siblings in the same sibs hips
· Perform integrative analyses of the above-mentioned datasets in the context of the epidemiological data from the study.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The agency voluntarily collects from authorized Researchers, maintains, and disseminates via a strictly controlled process to authorized researchers de-identified medical data consisting of de-identified molecular analysis cancer data, including DNA snippets. No personal information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Global Specimen Identification Service (GSID)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 9/13/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Global Specimen Identification Service (GSID)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Ian Fore
10. Provide an overview of the system: This system provides a single point of service to other software systems on the caBIG grid for managing Global Specimen Identifiers (GSIDs). There is no human interface. The grid service creates GSIDs, registers them with information about the requesting institute, verifies that GSIDs are unique (or reports the institute the GSID is associated with), and supports a directed graph of relations between GSIDs (e.g., parent-child relations).

No PII information can be stored, or requested, via this service.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) The system generates unique identifiers (128 bit numbers) for software connected to this service, and stores that number, along with reference material (login information) about the institute requesting the unique identifiers. The system does not contain Federal contact data and does not collect or store any other organizations' or users' PII data. Information stored is the individual GSIDs, the relation between multiple GSIDs, and the institute which requested that individual GSID

2) The individual GSIDs are stored to assure uniqueness when new GSIDs are requested. The relations between GSIDs are stored to allow systems to retrieve relation data between specimens (e.g., a specimen is an aliquot of another). The institute information is stored to allow for tracking back to individual specimen repositories.

3) None of this information is PII.

4) N/A - no personal information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Health Information National Trends Survey
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Health Information National Trends Survey (HINTS) Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lewellyn Belber
10. Provide an overview of the system: The HINTS Web site presents data collected by the Health Information National Trends Survey. It offers the datasets for download as well as graphic data for use by journalists, policy-makers, and the general public. The survey has been fielded 3 times since 2003, and includes data from over 6000 respondents. The respondents are members of the general public, selected at random, and the survey questions have to do with how they get health information, how well they understand that information, what they know about the risks associated with various types of cancer, and other similar questions. The data is in aggregate form and includes no personally identifiable information (PII). No PII is collected or maintained by the Web site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system maintains and disseminates aggregate survey results.
The information is made available to researchers in the form of downloadable datasets and to the general public, as tabluar and graphical data from individual survey questions.
The information does not include PII.
Although submission of personal information is not possible though the HINTS Web site, any survey response information provided is done so on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 5/6/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Health Information National Trends Survey 4 (HINTS 4)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 9/13/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0538 approval pending
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH NCI Health Information National Trends Survey 4 (HINTS 4)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terisa Davis
10. Provide an overview of the system: HINTS is a survey of the adult US population authorized by the Public Health Services Act, Sections 411 (42 USC, 285a) and 412 (42 USC 285a-1.3). The HINTS system will collect information on people's cancer communication practices, information preferences, risk behaviors, attitudes, and cancer knowledge. Data will be collected via mailed paper surveys over the course of four data collection cycles. In addition, the system may collect a name, mailing address, personal phone number, military status and employment status.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The only provision under SORN 09-25-0200 for which disclosure is anticipated is for employees of Westat who are working on the study and will need access to the PII in order to complete the study. PII will not be shared with anyone outside of Westat. The routine use of records under SORN 09-25-0200 includes the following provisions for disclosure: 1) For a research purpose (e.g., records of tumors for cancer registries); 2) To a member of Congress; 3) To the Dept. of Justice for litigation purposes; 4) To those working on the study (agency, contractors, consultants, etc); 5) To Federal agencies to obtain information on morbidity and mortality experiences; 6) Public health purposes (e.g. notifying partners of sexual disease); 7) Health service providers for reimbursement purposes; and 8) Reporting spousal or child abuse. HINTS 4 does not collect most of these categories of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. Government Authorization: The Public Health Services Act, Sections 411 (42 USC 285a) and 412 (42 USC 285a1.1 and 285a1.3).
2. Purpose of Collection: HINTS will allow NCI and the cancer communciations community to refine its communication priorities, identify deficits in cancer-related population knowledge, and develop evidence-based strategies for selecting the most effective channels to reach identified demographic population groups, including typically underserved populations such as minorities and persons living in poverty.
3. The information collected does contain some limited PII. The PII that will be collected includes: name, mailing address, personal phone number, military status, and employment status.
4. Voluntary or Manditory: Information is provided on a voluntary basis only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. No changes in disclosure or data use will be permitted without explicit consent from each survey respondent. In the unlikely event that permission needs to be sought, consent forms will be sent by US Postal Service to each respondent.
2. Information about the study and data disclosure is provided to respondents in written form along with the survey instrument. Completion and return of the survey is considered consent to participate.
3. PII is used during the data collection period to accurately track study respondents. After the field period, identifying information will be removed from the database and destroyed. The PII is not shared with anyone outside of limited study staff (at Westat). Identifying information on respondents will not be shared with NCI either during or after the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII is secured using password-protected networks, system firewalls, and keycards/identification badges for all physical locations. Data is maintained in a secure database. Information is secured on teh system through access controls, personal security awareness and training, regular auditing of information and information management processes, careful monitoring of the information system, control of changes to the system, appropriate handling and testing of contingencies and contingency planning, ensuring that all users are properly identified and authorized for access, and that they are aware of the rules and acknowlege that fact, by ensuring that any incident is handled expeditiously, properly maintaining the system and regulating the environment the system operates in, controlling media, evaluating risks and planning for information management and information system operations, by ensuring the system and any exchange of information is protected, by maintaining the integrity of the system and the information stored in it, and by adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/11/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI IMPAC II Extensions (IMPAC II)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4904-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-1
7. System Name (Align with system Item name): NIH NCI IMPAC II Extensions (IMPAC II)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: This system extends the NIH IMPACII extramural information to include the specifics of the NCI extramural business process of grant portfolio management. This includes the transition from a paper business process to an electronic process across the life cycle of an NCI sponsored grant. Comprehensive Minority Biomedical Branch (CMBB) has been rolled into IMPAC II Extensions. CMBB provides metrics to assess the success rate of the NCI CMBB program and to provide grantees information about other training opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No information is shared. Disclosures permitted in SOR 09-25-0036 are not utilized.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Authority for collection of this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. The IIF that the system captures on the public concerns only grantees and is obtained from the NIH IMPACII system and the NIH Data Warehouse. The IIF that the system directly collects is about individuals employed by NCI and involved in the grants business process. IIF includes, name, work address, work phone number, and financial account information. Information is given voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We have a agreement with IMPAC II that describes what data we will receive and limits how it will be used. If we need to change how it will be used, the agreement will be renegotiated and notification and consent issues will be part of any new agreement.
Individuals are notified and consent to the use of their information in this type of system is given when they receive grants or are hired by the government.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, database roles, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Inherited Bone Marrow Failure Syndrome Study (IBMFS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: CE-02-01-04
6. Other Identifying Number(s): IBMFS
7. System Name (Align with system Item name): NIH NCI Inherited Bone Marrow Failure Syndrome Study (IBMFS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Blanche Alter, M.D., MPH
10. Provide an overview of the system: IBMFS is an MS Access 2007 Application comprised of a user interface and database. The study aims to identify cancer prone families before the appearance of cancer, by virtue of their underlying genetic hematologic disease. The system manages the data collection activities of study participants. Contact information is maintained. Statuses for consents, clinic visits, biospecimen collections, and self-administered questionnaires are tracked. Reports list deliquent and expected events as well as summarize study progress.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII may be shared with collaborators, the NIH clinical center investigators and the Clinical Laboratory Improvement Amendments (CLIA) certified labs. These labs run diagnostic tests and require the use of patient name in order to meet CLIA standards.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Name, email, home addresses, and home phone numbers are collected for contact purposes. Date of birth, gender, disease and affected status are collected in order to characterize the population and to use for statistical purposes. All information collected is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This is an epidemiological study. Information is collected over the phone, in writing and in person. Individuals must call into the study to begin the recruitment process and therefore implied consent for the data is received. Once a participant is deemed eligible for the study, a written consent form is mailed to them which includes information about the storage and use of the data. Those individuals who come to the NIH clinical center are reconsented in person. PII may be shared with collaborators, NIH clinical center investigators and the Clinical Laboratory Improvement Amendments (CLIA) certified labs.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following classes of controls are in place to protect the APS and respondent PII: access such as user account management, access enforcement, password strength, least privilege concept, session termination, security awareness and training, audit and accountability, configuration management, contingency planning, identification and authentication for users and devices, incident response training, testing, monitoring, timely and controlled maintenance, physical and environment controls such as id badges, physical access authorization using access cards, key locks, and cipher locks for building and room entry, monitoring, visitor control, emergency power, and shutoff, disaster protection and recovery, system security plan, personnel security, rules of behavior, risk assessment planning, monitoring, update, technical and communication protection including denial of service protection, boundary protection, programmable firewalls, establishment of network zones with varying levels of restrictions, transmission integrity, security certificates, encryption, regular virus detection and monitoring, policies and procedures are in place for each family control class.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI International Cancer Research Partnership Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): International Cancer Research Partnership (ICRP) Website
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karen L. Parker
10. Provide an overview of the system: The International Cancer Research Partnership Web site (ICRP) supports a group of governmental and nongovernmental cancer research funding organizations with a mission of developing and implementing coding schema for cancer research projects, which can help identify gaps in the cancer research portfolio. The Web site includes a public internet (informational only) and an intranet component that is limited to member organizations. The public site ONLY serves as an information Web site for members of the public, providing information about the ICRP and its member organizations, access to their grants portfolio (minus funding amounts), and information for cancer-funding organizations on how to apply to the ICRP for membership. [Individuals cannot apply for membership. Member organizations must complete an application, sign a data sharing agreement, submit their data in a specific format, pay dues.] The intranet site includes the data provided by the approved member organizations (including the funding data), tools to graphically analyze the data, and space for members to share documents.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not Applicable - the system contains no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) Each member organization will provide data about the cancer research that they fund. This information includes the name of the member organization, type of cancer, area of research, name of the principal investigator, institution receiving the award, institution's city, state, and country, year of the award, and (for intranet site only) amount of funding
2) The public Web site provides all data (except for financial data) as an information service to the public. The intranet site provides additional information sharing and data analysis among the member organizations.
3) The system will not collect, maintain, or disseminate any PII.
4) The public Web site collects no information. Submission of the grant information described in question 1 is mandatory for member organizations - a condition of their membership.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system will not collect, maintain, or disseminate any PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top