Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

National Institutes of Health Privacy Impact Assessments - Page 3

Back to Privacy Impact Assessments page

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Investigator Registration Filing Process
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Requested
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Requested
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Cancer Therapy Evaluation Program (CTEP) Investigator Registration Filing Process
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Charles. L. Hall, Jr.
10. Provide an overview of the system: The purpose of the CTEP Investigator Registration Filing Process is to manually collect, store, and manage data about registered investigators who are eligible to receive NCI supplied investigational agents from the Pharmaceutical Management Branch (PMB) of CTEP. The data collected is stored in hardcopy format in secure filing systems as well as secure Electronic Filing Systems operated by NCI.
CTEP contractors managing the Investigator Registration Process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is shared with the FDA and pharmaceutical companies for the purposes of exchanging clinical trials data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information collected as part of the Investigator Registration Filing Process is that contained in the following documents collectively termed the IR packet. The information collected in the IR packet is used for the purposes of conducting clinical research. Some of the information provided in the IR packet is mandatory while some of it is voluntary.

1) DHHS FDA 1572 Form which collects FDA required attributes such as Investigator name, education and training experience, name and address of medical school, hospital or research facility where clinical investigation will be conducted, name and address of clinical laboratory facilities to be used in the study, name and address of Institutional Review Board responsible for review and approval, and Investigator Signature.

2) Supplemental Investigator Data Form which collects information such as Investigator name, Degrees, NCI Investigator Number, Month and Year of Birth, Provider number, Primary Specialties, Investigator related Training Information, Office Address for official correspondence with the Investigator, Address for Agent shipments, Shipping and Ordering Designee information and Investigator Signature.

3) Financial Disclosure Form which collects FDA required financial disclosure information based on four generic questions related to the Investigator’s relationship to any pharmaceutical company or sponsor to the extent that the investigator has received any compensation from pharmaceutical companies, or the investigator may have any proprietary interest in any of the studies not limited to patent, trademark or licensing, or if the investigator has any equity interest in any pharmaceutical company or if the investigator or his/her institution has received any large payments in the form of funds, grants or equipment from pharmaceutical companies exclusive of the costs of supporting conducting clinical studies.

4) The Investigators are also required to submit an updated copy of their resume / CV.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) NCI Investigators who wish to participate in NCI sponsored clinical trials submit their information to CTEP Investigator Registration Process in a signed Investigator Registration (IR) packet. This investigator registration packet, along with additional cover letter, informs the investigators about intended purpose and usage of their information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policies and procedures exist to securing and providing access to IR packet information. For the hard copies of the Investigator Registration (IR) packet that are filed in the secure filing systems, the filing cabinets are secured behind double locked doors with restricted access to the facilities. Only select authorized staffs are allowed to access the hard copies. Access logs to hard copy documents are maintained. Access to data stored in the Electronic Filing System is through password protection account. The Server on which the Electronic Filing System is hosted is maintained in secure Key control based facilities. Audit Trails are kept regarding the Electronic Filing System to track data access.

Since the same hard copy documents are scanned and filed into the Electronic Filing System, no backups are maintained for the hard copy documentation. Contingency plans exist for the Electronic Filing System. Backups of tapes are not stored offsite.

The system falls under the Privacy Act System of Records Notice 09-25-0200
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Labmatrix (Labmatrix)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: none
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: none
6. Other Identifying Number(s): NCI-84
7. System Name (Align with system Item name): NIH NCI Labmatrix
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jason Levine
10. Provide an overview of the system: Labmatrix is a system which allows for the tracking of tissue and fluid specimens obtained as part of clinical and translational research, and the tracking and collation of the results of experiments performed on those specimens. The system uses a Microsoft SQL database for its back-end data store; data entry and reporting is performed using either a web-based application or via custom-written applications which access the system via a standardized API. Labmatrix incorporates a user-based system of security and data partitioning, providing for the ability to restrict access to the system as a whole and to restrict users to the ability to view and manipulate only the data to which they have appropriate rights. Likewise, the security system incorporates a system-wide awareness of the idea of protected health information (PHI), and enforces strict access to this information on a granular basis to only those system users with both a need and the rights to know.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is shared among clinical and translational investigators who have been approved by the NIH Institutional Review Board to collaborate on any given clinical trial, such that these individuals can maintain accurate records of the specimens and results generated on their clinical trials. As stated in the SORN 09-25-0200 under Routine Uses of Records Maintained in the system, including categories of users and purposes of such uses: Disclosure may be made to agency contractors, grantees, experts, consultants, collaborating researchers, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information which will be collected within Labmatrix will be that for which collection has been approved by the NIH Institutional Review Board for any given clinical research trial. This generally includes both IIF and non-IIF, such as: a subject’s name, date of birth, medical record numbers, contact information, notes about the subject’s clinical care, records of all biological specimens obtained from the subject during the course of participation in the clinical research trial, and results of clinical and research tests performed on specimens obtained from the subject. Submission of this information on the part of the subjects is voluntary, and permission is provided by trial participants via the standard clinical trial consent process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) If and when major changes occur to the Labmatrix system such that data is either disclosed or the use of the data changes, our standard practice would be to inform the clinical and translational research investigators who have primary contact with the participants in their trials, and ask them to notify the subjects and obtain any further consents which are needed. Likewise, we rely on these investigators to obtain the initial consent from any subjects whose IIF will be stored in Labmatrix, and expect that the IRB-approved clinical trial consent documents will contain all relevant information about how this information is both used and shared.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Labmatrix incorporates its own list of permitted users, and restricts administrative control of the system to only those users who are specifically granted this right within Labmatrix. Similarly, the back-end database maintains its own list of approved administrative users, and grants administrative access and control only to these approved users.

Technical: Labmatrix incorporates encryption of all communication that travels over any network interface entering or leaving the system; this includes secure HTTP for all communication with the web application, and SSL encryption of all communication using the APIs for the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Labrador
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NCI Labrador
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: William D. Figg
10. Provide an overview of the system: Labrador is a system for tracking clinical samples and data related to the collected samples. It will be utilized by lab staff to catalog and barcode specimens, record information about the specimen and search existing samples.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: We will collect limited clinical and demographic data, including name, medical record number, date of birth, date of death, date of cancer diagnosis, type of cancer, treatment protocols, drug administration, race, gender. This data will be used, along with sample analysis results to learn about cancer therapeutics and evaluate factors which predict therapy outcome. Data is associated with individual sample records. Samples are only collected and entered into the system after patients have consented to IRB approved clinical protocol. Submission of personal information is mandatory, but enrollment in the collection protocol itself is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each patient has signed a consent form that allows collection of this data.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI LHC-CCR-Lab Manager for Human Studies Data
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: 0925-0623
6. Other Identifying Number(s): Support Resource Contract #HHSN261201000117C/N02-RC-2010-00117
7. System Name (Align with system Item name): LHC-CCR-LabManager for Human Studies Data
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Glennwood E. Trivers
10. Provide an overview of the system: Using taped copies of the State's Motor Vehicle Administration records of licensed drivers (for Baltimore City and 12 surrounding Counties) the system identifies potential volunteers with ages, genders, races and jurisdictional locations matching those of cancer patients in our studies. These names are then placed in an original project-designed search engine (employing several commercial and well known engines) to determine if the subjects have a telephone. Those that have phones are mailed letters introducing the project and then called to ask if they will participate. If they agree to participate, they are screened during the call for eligibility and scheduled for an in-person interview. There they are consented with a written and signed statement of purpose and uses of their contributions and the contractor's interviewer obtains their histories of health, social and occupational experiences and their biological specimens for future comparison and analyses as controls for those obtained from the cancer patients recruited using similar questionnaires and biological assay procedures.
Recruitment of all cases and population controls are performed by an NCI contract (HHSN2612010-00117/N02-RC-2010-00117) for collection of human specimens from subjects with epidemiological profiles currently held by the University of Maryland School of Medicine Baltimore. These resources are used in case-control studies of cancer, making Baltimore the center of the recruitment activity for population controls used in these studies: the Medical School is the primary contractor and it arranges with the Baltimore Veterans Administration Hospital and the Johns Hopkins University Hospital (including its subsidiary Bay View Hospital) to provide access to patients with the specified diseases.
Most of the patients are residents of the state and the population controls required to complete the study designs are recruited most accurately and economically from these areas. The database of licensed drivers offers the most efficient possibility of matching the potential controls prior to offering the opportunity to volunteer for the studies. The alternatives of surveying the population by telephone or personal contacts in a public setting is time-consuming, wrought with frustration and failure, and a comparative waste of valuable manpower and funding. Even with the advantage of the MVA database, only one in eighteen contacted agrees to participate.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosing of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system routinely collects personal information considered PII such as names, addresses, telephone numbers, and social security numbers. In addition, completed questionnaires will contain health, social and occupational histories, including diseases, surgeries, smoking habits, alcohol consumption, marriage status, parentage, jobs held, etc., and outcome of cytokine quality and quantity, presence of normal and mutated genes, etc., in test results from donated biological specimens (blood, serum, plasma, sputum and urine) to anaylze environmental and or genetic risk factors when compared with results from cancer patients. Submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. We have contact information from the time of interview and the plan is to use those data (addresses and phone numbers) to re-contact the affected subjects and obtain a revised consent. Since we are already using the Internet search engines to locate phone numbers during recruitment, we will use these same resources to obtain current addresses and phone information. If they are not found using the original information, and if we have an updated drivers' license database, we would scan that database to determine if they appear there, have moved, or have a new phone number. Depending upon the urgency of the need to make these contacts (as per IRB instructions), we could use Google, Facebook and other engines to search or in a final effort, run searches on National Death Index and the Social Security Index to determine if they are deceased.
2. Subjects are sent an introductory letter describing the studies, the need for controls and the procedures for collecting information and biological specimens. Then they are called by telephone, asked to participate, given a brief screener to determine their eligibility, and asked for their choice of a time to be interviewed and to donate biospecimens. Before the interview, subjects are given a written Informed Consent to read, ask questions about, and to sign. If they do not sign, they cannot participate. The Consent Form describes the studies, the purpose, the specimens and the information they are to provide and it gives a description of the uses to be made of the information and their specimens' test results.
3. The Consent Form that the subjects sign describes the studies, the purpose, the specimens and the information they are to provide and it gives a description of the uses to be made of the information and their specimens' test results. Information is shared only as published summations; analyses.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: 1. Administratively, security is established by requiring access be granted to only the authorized with a need to know or be involved; that all authorized persons be properly trained prior to being given any access to established, on-going databases housing participant information, and in particular, databases with PII.
2. Technically, institutional "firewalls" and "VPN" accounts are the ultimate front line defense against exterior intruders; internally, security is achieved by requiring all users be given unique personal "user" identifiers or names, and unique and protected "system passwords" to access the most vulnerable and important databases both constructed using the most recently developed and tested techniques, for access to various system with not one of them being duplicated for use in more than one system.
3. Physical Controls are in place that include human guards at all major points of entry to the facility housing the system, a standard requirement for pictured ID badges to be worn by all authorized personnel granted access to the system areas; all rooms containing system IT equipment are kept routinely under lock and key, with a monitor at every main door of access to the equipment, all files, and the on-duty personnel.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI Internet Website [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-5
7. System Name (Align with system Item name): NIH NCI Internet Website - www.cancer.gov
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jonathan Cho
10. Provide an overview of the system: This is the NCI's internet Web site. It disseminates cancer-related information, including information on prevention, screening, diagnosis, treatment, and survivorship. Individuals may enter their e-mail address in order to receive the NCI Cancer Bulletin.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share or disclose IIF. If this changes, disclosure will be done per SOR 09-25-0106
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: SEC.407 (b) (4) of the National Cancer Act authorizes NCI to: “collect, analyze, and disseminate all data useful in the prevention, diagnosis, and treatment of cancer, including the establishment of an international cancer research data bank to collect, catalog, store, and disseminate insofar as feasible the results of cancer research undertaken in any country for the use of any person involved in cancer research in any country.” The only information collected is e-mail addresses. It is used to disseminate the e-newsletter, theNCI Cancer Bulletin. Submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Individuals enter their e-mail address in order to receive the NCI Cancer Bulletin. They are told this on the web site when they subscribe. This is voluntary. E-mail notifications can be sent if a major change to the system is made.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI Local Network [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009 25 0200 01 3109 00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): NA
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NCI Local Network
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Williams
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) NA
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No Pii
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI NCI National Biomedical Imaging Archive [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI National Biomedical Imaging Archive
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert Shirley
10. Provide an overview of the system: NBIA is a searchable repository of in vivo images that provides the biomedical research community, industry, and academia with access to image archives to be used in the development and validation of analytical software tools that support:
- Lesion detection and classification
- Accelerated diagnostic imaging decision
- Quantitative imaging assessment of drug response
NBIA provides access to imaging resources that will improve the use of imaging in today's biomedical research and practice by:
- Increasing the efficiency and reproducibility of imaging cancer detection and diagnosis
- Leveraging imaging to provide an objective assessment of therapeutic response
- Ultimately enabling the development of imaging resources that will lead to improved clinical decision support.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII is stored in NBIA
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) Clinical trials, physicians and other researchers submit images to NBIA using the CTP (Clinical Trial Processing) software, which is loaded on a computer at their location. Images are submitted (and stored) in the medical image standard, Digital Imaging and Communications in Medicine (DICOM). A typical DICOM file stores a digital image along with a series of tags that contain metadata about the image such as patient ID, study ID, patient weight, anatomic site, and so forth. As part of the NBIA image submission process, the CTP software, prior to uploading the images to NBIA, performs an anonymization routine to strip out any identifying metadata. Even once an image is uploaded into NBIA, curators perform quality control on submitted images to ensure no private patient data is available, the image is of good quality, and so forth. Any images found to contain identifying data in the metatags are immediately deleted from NBIA, prior to being made available via search functionality. (2) NBIA was developed to provide the biomedical research community, industry and academia with access to image archives to be used in the development and validation of analytical software tools that support lesion detection and classification, accelerated diagnostic imaging decisions, and quantitative image assessment of drug response. NBIA provides access to imaging resources that will improve the use of imaging in today's biomedical research and practice by increasing the efficiency and reproducibility of imaging cancer detection and diagnosis, leveraging imaging to provide an objective assessment of therapeutic response, and ultimately enabling the development of imaging resources that will lead to improved clinical decision support. The search interface used by researchers is also available to the general public, should they want to use it. (3) NBIA does not contain any PII. Both automated processes (Clinical Trial Processing software) and manual checks by quality control staff are used to ensure that PII does not exist in any image or its metadata. (4) Submission of DICOM images to NBIA is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII is stored in the NBIA system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII stored in the system, however the system uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incident Response team.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Network and Directory (eDir)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-4
7. System Name (Align with system Item name): NIH NCI Network & Directory
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Doug Hosier
10. Provide an overview of the system: This system provides network and directory services to the NCI. It is used to control access to NCI computer resources. To accomplish this, it contains username/password information, contact information, and information about access rights.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Collects work related /assigned information necessary for network operations. The system contains username, password, work phone, work address, and name for NCI employees, contractors, fellows, and others who have a business relationship with NCI.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI New England Bladder Cancer Study (NEB)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Clinical Exemption #2009-06-001
6. Other Identifying Number(s): NEBCDS
7. System Name (Align with system Item name): New England Bladder Cancer Study
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Claudine Samanic
10. Provide an overview of the system: A secure database containing contact information for subjects of earlier phase of New England Bladder study and next of kin; medical data collected by the study; and, health and vital status data on study participants.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The study will collect and maintain PII for the purpose of tracing and contacting study participants, and integrating medical information and records into an analytic database. PII will be used to locate and contact individuals who already participated in a study of bladder cancer, so that we can interview them and update exposure information, and so that we can obtain medical record information about initial treatment, recurrence of bladder cancer, disease progression, and death from bladder cancer. We already have PII from these patients because of their participation in a previous study. Submission of personal information was voluntary. PII will not be analyzed or disseminated in any way, and medical and other information will be anonymized and analyzed in aggregate. Medical and demographic data will be disassociated from IIF once tracing and data collection end. In the analytic database that will be made available in whole or part to study investigators, a blinded ID will identify records for individual study subjects. The study will use analytic data to assess health outcomes of different groups of subjects and to publish disclosure-proofed findings in scientific journals and forums.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The relevant NCI and other IRB’s that approve the study require formal IRB notification in the event of a disclosure of IIF not approved in advance, any changes in uses of data. The IRB’s specify what information the study may collect and how the information may be used or shared. Only participants who provided consent and participated in the parent case-control study will be contacted. Participants will be contacted and enrolled by mail and telephone and verbal consent will be obtained by telephone. Participants will also be asked to sign an Authorization to Release Medical Records form that will serve as written informed consent for study personnel to obtain medical records.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Westat requires human subject protection and data security training of all health studies staff members, and also requires that each employee sign a pledge of confidentiality. The Senior System Manager monitors compliance to these and other administrative controls. Systems containing PII and other confidential information require user authentication (ID and password) for access. Users roles limit access to need to know. Physical storage media (paper, disk, etc.) are being stored in locked containers or areas, with key or card access limited to approved individuals.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI OCE Office of Market Research and Evaluation Surveys
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0046
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): OCE's Office of Market Research and Evaluation Surveys
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Holly A. Massett, Ph.D.
10. Provide an overview of the system: The system is comprised of a web-based interface and associated backend database, plus necessary programmatic functionality to store and retrieve data, a portion of which may be provided by OMRE for a given task, and the majority of which is provided by the individual users. The primary purpose of the system is to store, compile, analyze, and output user data on a per-task/project basis; the system does not store data pertaining to individual projects past a short period following their completion.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system. Personal information outside of work context is not colleted.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1). The system may store any or all of the following information: names, business email, mailing address of clinic or partner organization, business phone or fax information, organization name and individual's position within that organization.
(2). This information may be tied to data collected via survey or questionnnaire within the system for which the individual has previously identified to be given access and from whom specific responses are needed.
(3). This information collected may include any of the data listed in (1). and does not constitute PII as defined by this form as all data in question is business-related contact information.
(4). No PII is collected. Submission is voluntary and user may opt-out of data collection.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1). N/A - No PII in the system.
(2). N/A - No PII in the system.
(3). A written privacy notice is posted at the entry point of each system interface. This privacy statement states the type of data collected, how it will be used, and how data will be reported (e.g. user-specific, aggregate, etc). OMB numbers are provided where applicable and the ability of opt-out and remove all data is available to each user at any point within the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system. Web-baded access to the system may include (encrypted) passwords, unique urls, SSL, and other one-time login indentifiers. Privacy notices alert the individuals accessing the system what types of information are stored and how they will be used; individuals may opt-out of data collection at any point and remove all data previously input. Servers and physical backup hardware are stored in a secure data center.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Acquisitions (OA)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): NCI-2
7. System Name (Align with system Item name): NIH NCI Office of Acquisition System (OA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita Hughes
10. Provide an overview of the system: This system collects and maintains pre- and post-award contract data for reporting to Department and Federal Contract Information Systems (DCIS & FPDS-ng). The types of information include the socio-economic classification of the contractor (small, disadvantaged, etc.) as well as information about the type of project.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The primary data collected by the system is of a financial/budget­ary nature. Additional NIH reporting requirements relating to each project i.e., socioeconomic classification of the contractor (e.g. small disadvantaged business); information about the type of project, i.e. clinical trial; human subject research; animal research; epidemiological study; is also collected. No personally identifiable information (PII) on any individual is collected in this system. The project information collected is required by the HHS Department Contract Information System (DCIS) which transmits the information to the Federal Procurement Data System-Next Generation (FPDS-NG) which provides this budget and project information to Congress.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII collected.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Liaison Activities Database (OLA)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-64
7. System Name (Align with system Item name): NIH NCI Office of Liaison Activities Database (OLA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: The Office of Liaison Activities Database (OLA) maintains contact information for advocacy organizations and professional societies. The system also maintains information about individual advocates that serve the NCI through the Director’s Consumer Liaison Group (DCLG) and the Consumer Advocates in Research and Related Activities (CARRA) program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share outside the agency. Disclosures permitted in SOR 09-25-0106 are not made.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Legislative authority is 42 U.S.C. 203, 241, 289l-1 and 44 U.S.C. 3101), and Section 301 and 493 of the Public Health Service Act. Information is maintained for advocates that are members of the CARRA program include membership status (active or non-active), race/ethnicity/age/gender of member, occupation, highest educational degree earned, area of educational degree, primary/personal/constituency cancer type, location/race/ethnicity of constituency, activity preferences, computer skills, ability to travel, and skills/accomplishments/activities. Information is used only within the agency. Submission of information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification and consent in both cases is done via e-mail.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Oracle Clinical- Remote Data Capture (OC-RDC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NCI DCP Oracle Clinical-Remote Data Capture (OC-RDC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anne Ryan (Troy Budd is alternate POC)
10. Provide an overview of the system: OC-RDC serves as the primary database and data management tool for the Division of Cancer Prevention (DCP) phase I and II clinical trial portfolio. Westat the prime contractor on this project; works with the DCP Chemoprevention Consortia Lead Orgs to develop clinical trial menus which each consortium can enter participant enrollment data and adverse events. OC-RDC also provides DCP and Consortia Lead Orgs with data quality management, including data discrepancies reports, audit trail, etc… OC-RDC is DCP effort to manage and support the data collection of clinical trials conducted under our phase I and II Chemoprevention Consortia Program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is present in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Type of data available in OC-RDC include protocol attributes, site information, agent information information, adverse events, data discrepancies information, and Non-IIF participant level data. The information is critical to for data management of DCP chemoprevention consortia clinical trials.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is present in the system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is present in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Oracle RightNow
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Significant System Management Changes 
1. Date of this Submission: 7/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: 0925-0208
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Oracle RightNow
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The Oracle RightNow_CX houses documentation, resources, and applications needed by the Cancer Information Service & NCI Project Office to respond to inquiries and manage operations. Access to 3rd party and custom applications are controlled through this site through a single sign-on via a CIS Extranet account.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII collected in the Oracle RightNow CXabout an interaction with the public may pass through name, mailing address, and e-mail address information to the Oracle RightNow CX system for fulfillment of publication requests. Information collected inOracle RightNow CXfor research purposes may be sent via encrypted exports to researchers for analysis and follow-up.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Through the various access channels (chat, e-mail, mail, and phone) clients may voluntarily provide PII and other information including name, address, phone number, e-mail address, health information and demographic information during the inquiry response, materials ordering, or research participation processes. This information is only used to provide the requested services to the client, or shared with researchers during the course of a research study. Aggregate information that is not personally identifiable is used to describe and improve our services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Individual public users of the Cancer Information Service cannot be contacted when major changes are made to the Oracle RightNow_CX and its applications because contact information is purged on a rolling basis every 90 days. On the LiveHelp chat welcome page, a written privacy notice is posted letting users know the service is anonymous and asking not to send PII during the chat. For PII collected during a phone call, Information Specialists read a statement to clients that information provided will be kept confidential, and research studies contain their own additional informed consent statements that are read to clients.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Operational Control Class
Operational controls address security mechanisms that focus on methods that are primarily implemented and executed by people (as opposed to systems). The operational control class includes the following nine control families:
§ Awareness and Training (AT)
§ Configuration Management (CM)
§ Contingency Planning (CP)
§ Incident Response(IR)
§ Maintenance (MA)
§ Media Protection (MP)
§ Physical and Environmental Protection (PE)
§ Personnel Security (PS)
§ System and Information Integrity (SI)

Security Awareness and Training Policy and Procedures
The Corporate Information Security Policy addresses information security standards and guidelines, including security awareness and role-based security training. The section specifically covers information guardians, upper management, users, data custodians, hosting security and RightNow corporate officers. Formal Security & Privacy Awareness training is required for all existing employees with access to customer data, required for all new employees, and for all employees on an annual basis.
Security & Privacy Awareness is performed on a continuous basis, and is a formal, standard part of every employee’s “new employee orientation” training. All new employee training is performed in a classroom, in-person setting, and existing employee training is performed in-person, or via live web conference. Training records, including date of training, version of training, name of trainer and employee, are maintained in an online system, for at least six years.

Configuration Management Policy and Procedures
RightNow has a Change and Configuration Management policy that addresses purpose, scope, roles, and responsibilities.
A detailed flowchart of the Configuration Management procedures is included in the policy and is automated via workflow within the JIRA application.

Contingency Planning Policy and Procedures
RightNow’s Corporate Information Security Policy specifies a general contingency planning policy, which is further defined in the Cloud Delivery Disaster Recovery Plan. This document formally identifies the purpose and scope of the plan, the disaster recover/contingency planning roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
The Cloud Delivery Disaster Recovery Plan formally documents the procedures for recovering a Pod in the event of a contingency or disaster.

Incident Response Policy and Procedures
Currently RightNow includes the incident response policy has part of RightNow Corporate Security Policy. The policy references the RightNow Corporate Security Incident Handling Plan for providing corporate scope, roles, and responsibilities, and procedures; and
The RightNow Corporate Security Incident Handling Plan provides the particular incident response procedures to facilitate the implementation of incident response policy.
The CIRT at RightNow Technologies is comprised of select members of the Corporate Security Committee. The leader of the CIRT is the Chief Information Security Officer. The CIRT leader will determine, for each incident, which parties from the security committee are required in order to achieve timely and effective resolution of the problem. Resources outside the security committee may be included into the CIRT as needed. During an investigation, the central point of contact for all issues is RightNow’s CISO. When the corporate security officer is unavailable, another member of the security team may be designated by general counsel to handle coordination of the incident. The designated team leader will coordinate all internal resources and communications necessary to achieve resolution.
The corporate security office will be responsible for making sure that this policy is followed during an incident.

System Maintenance Policy and Procedures
The RightNow Change and Configuration Management Policy addresses all changes to the
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Orientation Registration (OrienReg)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-35
7. System Name (Align with system Item name): NIH NCI Orientation Registration (OrienReg)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: A website used to register new employees for the NCI Orientation Program.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF not collected
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Employee names are entered into a database in order to register them for employee orientation. No IIF is collected. Submission of this information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Individuals are notified when they are hired about how the information will be used. No procedures are in place to notify individuals if major changes to the system are made.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Pathway Interaction Database (PID)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Pathway Interaction Database (PID)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jeffrey Buchoff, Tanja Davidsen
10. Provide an overview of the system: The Pathway Interaction Database is a highly-structured, curated collection of information about known biomolecular interactions and key cellular processes assembled into signaling pathways. It is a collaborative project between the US National Cancer Institute (NCI) and Nature Publishing Group (NPG), and is an open access online resource.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. The agency does not collect any personal information through the system. Molecule and pathway data are entered into the system by the programmer. Web statistics are tracked as well, which included IP addresses and URLs.

2. The web statistics are used to determine the amount of system use.

3. The system does not contain PII.

4. No personal information is submitted.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A,
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/9/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI PLCO Research Database (PLCO)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-59
7. System Name (Align with system Item name): NIH NCI PLCO Research Database (PLCO)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Guillermo Marquez
10. Provide an overview of the system: The system is used for monitoring, quality control, and analysis of the PLCO trial.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This sytem is used to store and monitor data from the participants in the PLCO and NLST prevention trials. Such data consists of results of screening tests such as chest x-rays, serum PSA and CA-125, sigmoisoscopy, etc. Medical history and other questionaire information is also stored. To protect confidentially, the data in this system is referenced by a randomly assigned participant ID code only. The actual identity of the participant is known only to the screening center at which these tests were conducted. Since these participants are treated as clinical patients at these centers, their true identity is considered confidential, as with any patient, and is protected in accordance with HIPPA regulations to which all of these screening centers must adhere.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained. However, no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Portfolio Management Application (PMA)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NCI-32
7. System Name (Align with system Item name): NIH NCI DCCPS Portfolio Management Application (PMA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Everett Carpenter
10. Provide an overview of the system: This application is used by NCI Extramural Division staff to manage their Research Portfolio (Grants, Contracts, Interagency Agreements) Responding to Congressional Requests (Coding, Searching, Reporting); mass mailing, Dynamic Dissemination of Research Portfolio on Public Web site etc
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shared with NREP to identify and collect programs for the RTIPS application. Shared with Input Solutions Inc. to convert Program Products for RTIPS application. Share RTIPS contact Information with ASPEN Systems for the purpose of order fulfillment. Dissemination of Principle Investigator name on DCCPS Public web site. Share CCPlanet contact information. Information sharing is done in accordance with SOR 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101. The information is collected and reviewed by the Federal Program and DCCPS Management Staff to provide timely information for analysis, processing and/or dissemination. IIF collected is name, mailing address, e-mail address, and phone number. Information is submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Change in Data Use/Shared – Individuals will be notified via telephone or email to obtain consent.

Via the CCPlanet order form, individuals are told how the information will be used/not used and consent is obtained by the user entering their information and executing the submit order button.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations, scheduled scan of servers and application code. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI PRO-CTCAE
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 9/21/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 9-25-0200
5. OMB Information Collection Approval Number: #2010-02-001 clinical exemption
6. Other Identifying Number(s): Not Applicable
7. System Name (Align with system Item name): NIH NCI Patient-Reported Outcomes version of the Common Terminology Criteria for Adverse Events (PRO-CTCAE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathleen Castro
10. Provide an overview of the system: The system is used by clinicians to create, schedule, and administer symptom surveys to study participants. The system is also used by study participants (i.e. patients with cancer participating in cancer clinical trials) to provide responses to these symptom surveys. The system provides the ability to notify or remind a study participant that they have a symptom survey due.

The system provides two interfaces for study participants to respond to symptom surveys:
1. A web interface where the study participant accesses a web site, authenticates who they are via a username and password and responds to a symptom survey via the web site. The patient reads the questions on the screen and clicks to select the appropriate responses.
2. A phone interface where the study participant calls or is called by a phone system, and listens to the questions on the phone and presses buttons on their phone keypad to select the appropriate response.

The responses provided by the study participant via either the web or the telephone interface are coded by the system, mapped to the CTCAE dictionary and saved directly and immediately to a database. The participant responses to survey questions are not stored anywhere except in the database. Participants may respond to the questions in either English or Spanish. The database is housed behind the NCI firewall.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The PRO-CTCAE is used by clinicians to create, schedule and administer symptoms to study participants. Study participant names and dates of birth are shared with clinicians to allow preparation and administration of surveys.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The system collects and maintains patient responses to symptom surveys. The data is not only federal contact data.
(2) The system will support investigator authoring of patient reported outcome case report forms (CRFs) and collect cancer patient responses to questions about their health status, symptoms, functioning and health related quality of life and integrate this information within the NCI adverse reporting system.
(3) Yes
(4) All data provided is voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1) Patients are enrolled on protocol which have been IRB approved. Patients are provided written consent describing the PRO-CTCAE system. Signed consent will be obtained from patients prior data entry into the system. Patients will be notified in writing if major changes occur to the system
2) Signed consent will be obtained from participants by members of the research team, The consent document informs the participant that study records will be kept confidential as required by law.
3) Participants are given written consent documents which have undergone IRB approval and are reviewed on an annual basis by the respective IRB
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: 1. User Passwords (IA-5)
The PRO-CTCAE system account management practices shall adhere to the NCI Password Policy.
NCI Password Policy:
Users must choose passwords that have at least eight characters and include a combination of all four of the following types of characters:
Capital letters
Lower case letters
Numeric characters
Special characters (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

2. Passwords for Clinical Staff
Clinical staff user passwords will adhere to the NCI Password Policy.

3. Telephone Interface Passwords for Study Participants
The telephone interface passwords, hereafter known as personal identification numbers or PINs, for clinical trial participants (i.e. patients) will adhere to the following password policy:
Users must choose passwords that have exactly four numeric characters. Special characters may not be used. Alphabetic characters which correspond to the telephone keypad may be used as a pneumonic to aid users in recalling their PIN.

4. Procedures for changing/resetting passwords (IA-5)
The PRO-CTCAE system account management practices shall adhere to the NCI Password Lifetime Policy.
NCI Password Lifetime Policy:
Users must change passwords at least every 60 days to one that is different from the previous 24 passwords used;
Users must change their newly assigned system passwords the first time they log on.
Minimum password lifetime is 1 day.

5. Password Changes for Clinical Staff
Clinical staff user passwords will adhere to the NCI Password Lifetime Policy.

6. Unsuccessful Login Attempts and Account Lockout Settings (AC-11)
The following is the NCI Policy regarding unsuccessful login attempts:
When the system supports it, the maximum number of invalid user attempts during a 15 minute window is 6 (failed attempts). The account must remain locked for at least 60 minutes or until manually reset by an authorized administrator or by using a self-registration/reset website utility.

7. System Inactivity (AC-11)
The PRO-CTCAE system policy for managing idle authenticated user sessions shall adhere to the NCI policy.
NCI Policy:
Session lock mechanisms will be activated for user workstations and server consoles and other systems automatically after 15-30 minutes of inactivity, when technically and operationally feasible. Users must log out of their computers or lock their screen when they leave their desks.

8. Caching Passwords (IA-5)
The PRO-CTCAE system policy regarding caching/storing passwords shall adhere to the NCI Policy.
NCI Policy:
Users are prohibited from caching (auto-saving) NIH or NCI system passwords on the local system. Passwords should not be stored in websites, programs or scripts, if operationally feasible.
The PRO-CTCAE system does not prevent users from saving their passwords using browser enabled password saving. This policy is enforced through user compliance to the policy.

9. Separation of Duties and Least Privilege (AC-5, AC-6)
The PRO-CTCAE system supports the separation of user duties and the principles of least privilege. Users’ access to the PRO-CTCAE system shall be assigned and restricted based on role or function within the system, and be limited to the minimum level of access necessary to perform the assigned duties within the system. Security related user roles will be divided between different roles through the use of role based access control (RBAC) to the extent feasible and practicable. Users will be assigned to groups or roles, which have appropriate permissions and privileges pre-assigned to them. Users must be issued and must use only non-privileged account credentials when performing non-privileged activities in the system or application.

10. Account Management (AC-2)
The PRO-CTCAE system adheres to a hierarchical method of user account administration which closely follows the hierarchy of responsibility employed for the conduct of the clinical tri
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Publications Enterprise
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/19/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Publications Enterprise
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The Publications Enterprise (PE) system is used to manage information about NCI publications; control display of publication information on various ordering interfaces; and intake and process orders for publications. The PE system is composed of four Web-based order interfaces; a centralized admin tool to house order and inventory information; warehouse management system; shipping system; issue tracking system; standard response library; reporting tool; and NCI client report Web site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII information provided by users to create an account or place a publication order are not in any way disclosed or shared with third parties, NCI, or Lockheed Martin staff except as needed to process orders or resolve a customer support request. Name, address, and shipping number as needed are shared with FedEx, UPS, and USPS in order to ship requested publications.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: For purpose of order fulfillment, name, address, e-mail, phone, and FedEx/UPS shipping number as needed are collected and stored for 90 days before purging. An account registration option is available to the public on the NCI Publications Locator Web site, where provided name, address, e-mail, and phone number information is stored indefinitely and requiring user authentication to protect account information.

Provision of PII is voluntary and only collected in order to process a user’s request for printed publications. Users may view publications online through the order interfaces rather than place an order and provide PII information. PII information is retained for 90 days in case there is an issue with the shipment. After 90 days all PII data are purged unless connected to a registered account created by the user through NCIPL. PII data provided through registration are retained indefinitely.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII information provided by users to create an account or place a publication order are not in any way disclosed or shared with third parties, NCI, or Lockheed Martin staff except as needed to process orders or resolve a customer support request. Name, address, and shipping number as needed are shared with FedEx, UPS, and USPS in order to ship requested publications. Reports from the system provided to NCI staff contain aggregate data only. The privacy policy is available through the order interfaces or by calling/e-mailing the Publications Ordering Service and is updated as needed to reflect changes. Users may submit questions or complaints via e-mail or by calling the Publications Ordering Service.

Online via help files and privacy policy; via phone or e-mail upon user request
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII are secured within the Publications Enterprise system through the following ways:
· Only authorized, authenticated IT staff have direct access to the servers, applications, and database.
· IT staff access to resources are role-based and limited.
· There is a designated deployment team and deployments are handled through a secure, isolated gateway.
· Usernames and strong passwords are required and are either manages through Active Directory or LM’s database-driven Global User Authentication Module.
· All production assets are in a central cloud hosting facility that has controlled and limited physical access.
· Data connected to Publications Enterprise system are not co-mingled with other cloud users, ensuring control and traceability of data.
· The production environment is logically separated from the development environment.
· Each application in the system has set role-based user permission levels with different privileges. Users are assigned the appropriate permission level based on their required position tasks.
PII data are purged from the applications and database on a 90-day schedule. Only users who opt to create accounts on NCIPL will have PII data retained indefinitely.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Research Resources
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NCI Research Resources
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elizabeth Hsu, PhD, MPH
10. Provide an overview of the system: NCI Research Resources is a directory of research tools and services that the National Cancer Institute (NCI) makes freely available to cancer researchers on the Web at http://resresources.nci.nih.gov/. This centralized listing of scientific tools, reagents and services developed by the NCI is provided as part of our ongoing commitment to cancer investigators to enable and expedite their research. It includes descriptions of each resource and is organized by research category and by NCI organization. The categories include animal, specimen, genomic, epidemiological, and scientific computing resources; drugs, chemicals, and biologicals; clinical trials; and statistics.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This public Web site will not collect any information from public users - it is simply a catalogue of services. The application will collect information from NCI staff, but it will not collect any PII. The information that will be collected from NCI staff, maintained by the application, and disseminated via the public Web site is the name of the research resource, a description of that resource, the research category to which it belongs; the NCI organization that provides the resource; and general contact information for the NCI organization.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Because the system does not collect any PII, there are no processes in place to manage PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Because the system does not collect, maintain, or disseminate any PII, there are no controls in place to secure PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Smokefree.gov Website(s) and Mobile Apps (Smokefree.gov)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/22/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NCI Smokefree.gov website(s) and Mobile Apps
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lewellyn Belber
10. Provide an overview of the system: The system is a group of publicly accessible websites that provide evidence-based smoking cessation information to the general public and to specific target audiences. The primary website is smokefree.gov, and the sub-sites are: women.smokefree.gov, teen.smokefree.gov, and espanol.smokefree.gov. As more target audiences are identified, more sub-sites may be created. The cessation resources are provided as plain content, interactive quizzes, and printable PDFs. Some parts of the system will allow visitors to login to customize their website experience, and to record their smoking behavior in order to tailor the resources that are provided. The smartphone applications likewise display content to help people quit smoking, and allow users to track their smoking behavior and quit attempts in order to encourage and facilitate quitting.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) The system will collect email address, username, password, cell phone number, and data on smoking and other health behaviors (e.g. the number of cigarettes smoked in a day.)

2) The information is collected to allow a user to customize their experience on the website by logging in, with tailored content and statistics on their smoking behaviors. The e-mail address will be used for password reminders and notification of site updates. The mobile phone number will be used for a voluntary smoking cessation program delivered by text message.

3) The system will collect PII: email address and mobile phone number.

4) Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1) If major changes to the system are made, individuals will be notified by email.

2) When an individual submits information, including PII, to the site, they will be notified through text on the form and a link to our privacy policy.

3) Users’ information will not be shared. It will be used to deliver password reminders, to customize the website experience, and to deliver smoking cessation messages by text message.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The virtual servers are located in a locked and remotely monitored facility.
Access to the web server is granted on a limited basis to developers who need access to the system. Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained as part of NIH’s IRT program.
All employees participate in annual security and privacy training through NIH and the contracting agency.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/9/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Starcatcher-StarGazer (Starcatcher)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-12
7. System Name (Align with system Item name): NIH NCI Starcatcher/Stargazer (Starcatcher)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mary Velthuis
10. Provide an overview of the system: StarCatcher/Star Gazer is a web application in which the public can enter and submit resumes for referral within the NCI.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shared within NCI with NCI hiring managers per SOR 09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Authority to collect this information is National Cancer Act of 1971, SEC.407 (b) (4). A limited amount of information collected via StarCatcher is used by authorized NCI staff via StarGazer to identify candidates interested in working at the NCI. Submission of information is voluntary. The information specifically collected is the person's name, phone number, mailing address and e-mail address. There may or may not be other IIF on the resumes that individuals submit.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Candidates input information into StarCatcher and upon entry into the site, it is stated that: NCI maintains a resume databank of interested applicants for professional, administrative and internship positions that may have future openings. If you would like to post your resume, please choose a job category/specialty that we list.

On the website it is noted that: “The NCI StarCatcher Website accepts resumes from interested applicants for positions that may have future openings, it is not intended to solicit or accept applications for official vacancy announcements. Your contact information and resume will be kept on file in the StarCatcher Website for one year from the date you post your resume.

There are no procedures in place to notify individuals when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-73
7. System Name (Align with system Item name): NIH NCI Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bob Barber
10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to access financial data and download the data into spreadsheets in order to perform analysis.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Survey of Physician Attitudes Regarding the Care of Cancer Survivors (SPARCCS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NA
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: 0925-0595
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): Survey of Physician Attitudes Regarding the Care of Cancer Survivors (SPARCCS) Study Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lynne Harlan
10. Provide an overview of the system: SPARCCS is a mail survey of a national sample of practicing physicians. Physician offices are called to confirm the specialty of the physician and the mailing address. Eligible physicians are then mailed a paper survey to complete and return to Westat. After 3 mailings, physicians that have not returned a questionnaire are called and asked to participate in the study by returning a paper survey. The Study Management System tracks the physicians’ contact and eligibility information. Once questionnaires are returned, they are scanned to capture responses. Individual identifying information is stripped from the response data prior to delivery to NCI.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Identifying information is provided to authorized study staff in order to make contact with respondents and to track information. The identifying information is not shared with anyone outside of Westat. This systems falls under the guidelines of Privacy Act System of Records Notice 09-25-0156.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. Authorization: The Public Health Service Act, Section 412 (42 USC 285a-1) and Section 413 (42 USC 285a-2)

2. Information collected: SPARCCS collects information about the beliefs, knowledge, attitudes, and practices of primary care physicians and cancer specialists regarding the care of cancer survivors.

3. Purpose of collection: NCI’s primary objective for supporting SPARCS is to identify whether physicians are meeting the components described by the Institute of Medicine’s 2005 report that described the essential components of cancer survivorship care within a health care delivery system. These data will inform the process of standardization of survivorship care practices; augment the data collected in other cancer survivorship studies such as the Cancer Care Outcomes Research and Surveillance Consortium and the Cancer Research Network; and monitor the progress made toward achieving NCI strategic goals of improving the quality of cancer care across the cancer control continuum.

4. Routine disclosure: There are no routine uses for which IIF would be disclosed to those not authorized to use the system (e.g., Westat employees assigned to the project).

5. Voluntary or mandatory? Information is provided on a voluntary basis only.

6. If mandatory, effects of not providing information: Not mandatory – there are no effects if the information is not provided.

PII collected and maintained includes name, mailing address, phone number, email address and unique study ID number.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information about the study and data disclosure is provided to respondents in written form along with the survey instrument. Completion and return of the survey is considered to be consent to participate. No changes in disclosure or data use will be permitted without explicit consent from each survey respondent.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is secured using password protected networks, system firewalls, and key cards/identification badges for all physical locations. Data is maintained in a secure database. Information will be secured on the system through access controls, personnel security awareness and training, regular auditing of information and information management processes, careful monitoring of the information system, control of changes to the system, appropriate handling and testing of contingencies and contingency planning, ensuring that all users are properly identified and authorized for access, and that they are aware of the rules and acknowledge that fact, by ensuring that any incident is handled expeditiously, properly maintaining the system and regulating the environment the system operates in, controlling media, evaluating risks and planning for information management and information system operations, by ensuring that the system and any exchange of information is protected, by maintaining the integrity of the system and the information stored in it, and by adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Technology Transfer Center Online Customer Survey (NCI TTC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-XXXX (Pending approval sometime in April/May 2011)
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Technology Transfer Center (TTC) Online Customer Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Hewes, Ph.D.
10. Provide an overview of the system: The NCI TTC Online Customer Survey is a web-based data collection tool designed to assess the satisfaction of NCI Technology Transfer Center (TTC) customers and collect descriptive, non-confidential information about their company's communications and marketing. Respondents of this survey include the universe of the NCI TTC's "external customers" which includes approximately 750 managers and executives in the 320 for-profit companies who have developed biomedical research alliances with the NIH through the TTC, or made information requests concerning NIH Material Transfer Agreements (MTAs), Cooperative Research and Development Agreements (CRADAs), Confidential Disclosure Agreements (CDAs), and other instruments for developing collaborative research. Only business contact information will be used to correspond with respondents. No PII will be collected using this system. A secure url and a password will be provided to respondents to access the online survey. This website will not be available to the public.

No PII will be utilized or collected from this survey. Only company contact information will be used. There are 36 questions and none of them ask for PII. In addition, the contact information requested in company contact information only.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1 & 2. The purpose of the web-based survey is to gather critical information that will serve the goals set forth by the TTC to obtain a better understanding of the needs of its external customers in the private sector. The web-based survey will collect descriptive, non-confidential information about the characteristics of the respondents' particular company, satisfaction with TTC's customer service, preferred and expected communications channels of TTC's external customers, and strategic plans of companies to engage in external collaborations and partnerships. Respondents will not be asked to identify specific companies.
3. No PII will be collected
4. Submission is voluntary - a statement at the beginning of the survey instrument indicates that participation is strictly voluntary. There will be no invitation or request for survey participants to enter or submit personal information. Survey contact information is non-confidential company contact information collected from online public and subscription databases and any NCI-internal database of companies that have negotiated collaboration agreements with NCI TTC.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Technology Transfer Center website (TTC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Technology Transfer Center Website (TTC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Chamberlain
10. Provide an overview of the system: The system, the NCI TTC website, is used to disseminate information to Biotechnology and Pharmaceutical industry representatives, Academics, Non-Profit, and NIH staff about technology transfer related information. Disseminated information includes: the TTC mission; Public Health Service and NIH approved model technology transfer agreements; Technologies that are available for co-development/collaboration with NIH; brochures that describe technology transfer and the role of TTC in technology transfer at NCI and NIH, and intellectual property management plan templates for grantees and contractors. The system also includes a “listserv” where interested parties (who have subscribed by adding their email address to the subscription request area of the website) receive a notice by email whenever a new co-development/collaboration opportunity is added to the website. The notification is sent to the listserv subscribers automatically through a content management system for the co-development/collaboration opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) We collect the email address of individuals who volunteer to add their email address to the listserv we maintain as part of the website where we send them new co-development opportunities. 2) we use the information to send new co-development opportunities which have been added to the website. 3) The information may contain PII because individuals list their e-mail addresses. 4) Submission of personal information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1) An notice would be generated through the website and sent to all listserv subcribers' e-mail addresses. 2) Individuals voluntarily subscribe and add their e-mail addresses to the listserv. Should a major change occur, they would be given the opportunity to continue to subscribe or to unsubscribe. SHould they no longer wish to receive co-development opportunities, they can unsubscribe. An option to unsubscribe is included with every opportunity announcement they receive. 3) They would receive an electronic notice of any change in the NIH Privacy Policy.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls: The COTR for the web development/maintenance contract controls who is assigned as a site admin user and relays the information to the web contractor.

Technical: Access to the email addresses is controlled by the use of User Names and Passwords to access the site administration area of the website where the email addresses are available. Only 2 users are allowed to access the site admin area. One is the primary user and the 2nd is the back-up.

Physical: Since the email addresses are stored electronically, no "physical access" is available.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/9/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI TeleTech eWFM
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Genesys WFM
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: Genesys WFM uses historic contact center data concerning the various points of access (phone, chat, e-mail) to determine future volumes and staff needs. The system is used to create schedules for contact center staffing.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system is used to forecast contact center staffing needs and create staff schedules. Data collected and stored in this system contains no personally identifiable information. Only information such as agent names, skill sets, and work schedules are stored in this application along with details about each interaction (i.e., handling time, time interaction arrives, time to complete interaction, etc.). The application also allows reporting of planned and unplanned daily and intraday activities such as meetings, days off, holidays, etc. to further record events, improving forecasting and staffing assessments.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not applicable since there is no PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not applicable since there is no PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI The Cancer Genome Atlas Data Coordinating Center (TCGA DCC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): NCI-83
7. System Name (Align with system Item name): NIH NCI The Cancer Genome Atlas (TCGA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carl Schaefer
10. Provide an overview of the system: The Cancer Genome Atlas (TCGA) is a three-year pilot cancer genome characterization and sequencing project to determine the feasibility of large-scale effort to identify most of the genomic changes in three separate tumor types. The Data Coordinating Center (DCC), establishes and executes standard operating procedures, designs and implements data analysis procedures that perform quality checks on incoming data and report anomalies to the data source sites, and implements a data management pipeline to process data and prepare it for public distribution in formats and systems compatible with the caBIG program.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects medical gene data that is de-identified. The system does not collect any IIF. There are multiple de-identifying steps, so that no names, social security numbers, or none of the eighteen (18) HIPAA identifiers is collected. The system does collect de-identified gene data for research.
Patients voluntarily sign a consent form to allow their data to be used for research.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Tobacco Use Supplement to the Current Population Survey (TUS-CPS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0368
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Tobacco Use Supplement to the Current Population Survey (TUS-CPS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anne Hartman
10. Provide an overview of the system: The Tobacco Use Supplement to the Current Population Survey (TUS-CPS) is an NCI-sponsored survey of tobacco use that has been administered by the US Census Bureau as part of the Bureau of Labor Statistic's Current Population Survey in 1992-1993, 1995-1996, 1998-1999, 2000, 2001-2002, 2003, 2006-2007, and will be fielded in 2010-2011 upon OMB’s approval of reinstatement with revision. The Centers for Disease Control and Prevention (CDC) co-sponsored with NCI the 2001-02, 2003, and 2006-07 survey waves.

The main data can be requested from the Census Bureau Website. A link to the Census Bureau Website ordering page is provided from the DCCPS Website: riskfactor.cancer.gov/studies/tus-cps/info.html.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: There is no PII in the system. The TUS-CPS is a key source of national and state level data on smoking and other tobacco use in the US household population because it uses a large, nationally representative sample that contains information on about 240,000 individuals within a given survey period. The TUS-CPS generally contains items covering:

cigarette smoking prevalence and history,
current and past cigarette consumption,
cigarette smoking quit attempts and intentions to quit,
medical and dental advice to quit smoking,
cigar, pipe, chewing tobacco, and snuff use,
workplace smoking policies,
smoking rules in the home,
attitudes toward smoking in public places,
opinions about the degree of youth access to tobacco in the community (1992 - 2002),
attitudes toward advertising and promotion of tobacco (1992 - 2002),
cost and purchase of cigarettes (2003-),
treatments and methods used to try to quit/quit smoking cigarettes (2003, 2010-2011),
use of harm reduction products (2003, 2006-07).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII in the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Translational Science Meeting (TSMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: None
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NCI Translational Science Meeting
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nelya Gunina
10. Provide an overview of the system: NIH NCI Translational Science Meeting participants register for a workshop and submit abstracts that the participants will potentially present at the meeting. There is no data on the system and no PII on the system and no data will be collected, maintained, or stored until July 2010. The information collection mechanism is disabled until July 2010.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 5 U.S.C. 301; 44 U.S.C. 3101. Meeting participants will register for the workshop and will post a limited amount of work-related information (abstracts) to a website when a conference is forthcoming. The information is used to identify the participants and collect their submission information. There is no data on the system and no PII on the system and no data will be collected, maintained, or stored until July 2010. The information collection mechanism is disabled until July 2010. Information will be submitted voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained. There is no PII on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NCI World App: Key Survey, PS-OC Survey 2012
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 4/4/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: 0925-0642-07
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI WorldApp Key Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Katrina I Theisz
10. Provide an overview of the system: Key Survey is a tool that does not collect PII. We are using Key Survey to develop, distribute, collect, and analyze a customer satisfaction-style survey regarding the Physica Sciences-Oncology Centers (PS-OC) Program. Business email addresses will be collected prior to deployment of the survey (thus making it possible to deploy said survey. No PII will be collected in the survey). This information will be stored securely. To avoid linking each respondent to his or her email address, WorldAPP has implemented a procedure to identify respondents with numbers. We will not have access to the list which links their identification number to their email address, allowing our respondents to remain anonymous throughout the survey process, ensuring their safety as well as the quality of the data collected.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. We will gather business email addresses for the surveys to be sent to. The surveys will not be gathering any PII.
2. We need the business email addresses so we have a way of distributing the surveys to the right people.The survey will be emailed to each of the respondents and their emails will be stored in the survey system. Each email will be linked with a respondent number. This is anonymous to us but it will still be stored for the duration of the survey process (expiration date 09/30/2014).
3. The surveys will contain no PII.
4. Participation is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. N/A. No PII will be shared. Should there be changes to the online survey tool (ex: WorldAPP institutes an upgrade to Key Survey) the respondents' email addresses will not be shared, distributed, etc. Upon completion of our survey (once the data has been analyzed and we no longer need the emails for survey distribution, or 09/30/2014, whichever comes first), the email addresses will be removed.
2. N/A. We already had their email addresses. The surveys will not collect any PII.
3. The email addresses will be used for the following purposes:
-Distribution of the surveys
-Automated reminders to complete the survey
-Automated reminders that the survey is about to expire
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 6/7/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI AMB Survey
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/5/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Administrative Management Branch (AMB) Survey
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Felicia Powell
10. Provide an overview of the system: Administrative Managing Branch (AMB) Survey is an online survey to record how AMB has been serving its NEI clients. The survey asks about topics such as the types of services provided, level of interaction, professionalism in the office, etc. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This voluntary survey collects information from NEI staff about services provided and quality ratings. It includes names of Administrative Officers and optional user names and organizational information (they can leave these fields blank and submit the survey anonymously). Data is analyzed to evaluate administrative services. The system does not contain PII--only business contact info for NEI staff.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--The system does not collect, store, or disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Animal Order and Support
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Animal Order and Support
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Raber
10. Provide an overview of the system: NEI Animal Order and Support is used to track all animal orders coming in and out of NEI. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects biological details about animals, care and housing information, and associates them with investigators. The system collects this information for tracking and ordering laboratory animals and their protocols. There is no PII, and submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/4/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI CAF Animal Order and Support
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Central Animal Facility (CAF) Animal Order and Support
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Raber
10. Provide an overview of the system: Central Animal Facility (CAF) Animal Order and Support is a NEI run tracking system. This system tracks animal orders for the CAF for multiple NIH ICs: NIDCR, NICHD, NIMH, NHGRT, NINDS, NEI, NCI, and OD. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects biological details about animals, care and housing information, and associates them with investigators. The system collects this information for tracking and ordering laboratory animals and their protocols. There is no PII, and submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/4/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Calcium Calendar
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 1/7/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Calcium Calendar
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert Fariss
10. Provide an overview of the system: The Calcium Calendar is a commercial off-the-shelf, web-based scheduling software that allows the administrator to create calendars that users of the system can access for reserving equipment or services. The Calcium Calendar is hosted on an NEI server provided by NEI's IT branch. The Calcium Calendar hosts equipment pages for the Biological Imaging Core, Flow Cytometry Core, and Visual Function Core. Only NEI employees with a valid NIH login and password are able to access the calendars, because the login authentication uses the NEI employee roster, which is constantly updated. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The only information collected about the user is federal contact data--the user name and work telephone number--for managing scheduling of equipment in National Eye Institute core facilities. The Calcium system does not collect PII about members of the public, only business contact info for federal employees, which is required for proper scheduling.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--The system does not collect, store, or disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Cogan Collection Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Cogan Collection Website
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Fausto Vela
10. Provide an overview of the system: An extensive collection of clinical ophthalmic cases and their pathology for use by researchers and clinicians to aid in preventing, diagnosing, and treating diseases of the eye and visual system. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The Cogan Collection website is an extensive collection of clinical ophthalmic cases and their pathology for use by researchers and clinicians to aid in preventing, diagnosing, and treating diseases of the eye and visual system. The cases and the pathology were collected by the late Dr. David Glendenning Cogan during his career and are now posted to the internet. There are no access restrictions (i.e. public access) to the website as it is designed to be available to all doctors, students, etc. for learning/research purposes. The cases do not identify patients and are intended to be used as a teaching collection of ophthalmic pathology. The only information provided for any case is age and gender (i.e, 45-yr old male). Photographs are of different parts of the eye and cannot be used to identify individuals. PII is not collected, shared, or maintained.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 3/7/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Computer Inventory
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Computer Inventory
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: Dynamic form for collection of NEI computer inventory information and data. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NEI Computer Inventory is a dynamic form used to help NEI maintain and track computer inventory and data. The Inventory form collects information such as serial numbers, computer names, MAC addresses, IPs, etc. This information is mandatory to maintain an accurate inventory. The inventory does not collect, store, maintain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 3/2/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Employee Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Felicia Powell
10. Provide an overview of the system: NEI EDie is a system that pulls HR information from the NIH system HRDB. This data is then used by NEI for HR and administrative purposes.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NEI EDie system only discloses information within NIH during transfers, terminations, and hires of new employees within NIH/NEI.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie pulls existing HR data from HRDB, FPS, NED, and FSA Atlas. This includes business contact information for all NIH employees and contractors, and more specific payroll information for NIH employees only. Its function is to consolidate the data from these various sources and allow easily customizable reporting for personnel data analysis. The information includes PII for government employees only; submission in the original systems is mandatory. Only 6 members of NEI have access to this data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is not a notification process yet. Will develop one with the new NEI EDie C&A.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Logical access to EDie is primarily via the web site. Specific roles are managed by EDie. Access to the server running EDie is limited to authorized system administrators via active directory (AD). SQL access is limited to authorized system administrators via AD and to three SQL accounts. NetComm support staff and the EDie web application have read/write access to the database information. A SoFie/EDie direct database link has read only access to EDie. Two system administrators assign access roles to a restricted group based on job function. Only AOs and ATs (and the sysadmins) have access to PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Eye Bank (NEIBank)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8710-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): 2004 UPI=009-25-01-26-02-8710-00-202-069, Older UPI=009-25-01-26-02-8710-00
7. System Name (Align with system Item name): NIH NEI Eye Bank (NEIBank)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Graeme Wistow
10. Provide an overview of the system: NEIBank is a web-based resource for the ocular genomics community.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The data presented includes annotated, public domain expressed sequence tag (partial cDNA sequences) collections for multiple eye tissues from human and several other species; public domain eye-related human SAGE data; a database of known human eye disease genes from the published literature; and visualization tools for the genomic loci of as yet unmapped eye diseases. These resources provide an overview of the known transcriptional repertoire of the eye with visualization of specific clones, splice variants, human SAGE tag counts and candidate disease regions.

There is no IIF or personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There are no processes in place. The system does not collect, maintain or store IIF or any user solicited material.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Grants Management
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-8712-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): 2004 UPI=009-25-04-00-02-8712-00-205-080, Older UPI= 009-25-01-03-02-8703-00
7. System Name (Align with system Item name): NIH NEI Grants Management
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Fausto Vela
10. Provide an overview of the system: Support managment of NEI's grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system shares IIF with NIH IMPACT II. Information is shared to allow grants management administration data to be synchronized with IMPACT II.

09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system shares IIF with NIH IMPACT II. Information is shared to allow grants management administration data to be synchronized with IMPACT II.

IMPACT II states that Information is given to IMPACT II voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All information is extracted from IMPAC II - all consent and notification is handled by IMPAC II.

The system does not have any notification and consent processes in place in addition to the IMPAC II procedures.

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted, brass key required.

Data is stored on the system in folders with permissions appropriate to the data. Active directory enforces access. Folder owners are responsible to authorizing access for individuals and adding to existing permission groups.

Access to the files and databases is through userid and password as enforced by NIH active directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Histology Lab Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Histology Lab Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Chi Chao Chan
10. Provide an overview of the system: Referring physicians send the patient's name, age, and clinical history as part of request for histological analysis; lab staff enter data; senior lab staff add test results and generate reports to send back (in hard copy) to the referring physician.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Analysis report is sent back to the referring physician for treatment.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: NEI collects patient name, age, and clinical history from the referring physician; NEI adds a record number and a write-up of analysis results. The information contains PII, and participation is voluntary, though PII is required if patients choose to participate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A detailed consent form is provided to the referring physician and must be returned with the patient's signature. Patient consent is necessary *before* samples are sent for analysis, and the referring physician is the logical point of contact. Also, the analysis is provided to the referring physician for diagnosis and treatment. Because there is no direct contact between NEI and patients, and because the analysis is a one-time service, no changes are anticipated after the fact, and no notification process is in place.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted, brass key required.

Data is stored on the system in folders with permissions appropriate to the data. Active directory enforces access. Folder owners are responsible to authorizing access for individuals and adding to existing permission groups.

Access to the files and databases is through userid and password as enforced by NIH active directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI I2I
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI I2I
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lore Anne McNicol
10. Provide an overview of the system: I2I is a readily-searchable NEI grant application database based on NIH's IMPAC II system. NEI extramural research staff use it to retrieve information in managing their grant portfolios.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system shares PII with NIH IMPAC II. Information is shared to allow grants management administration data to be synchronized with IMPAC II.

09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: I2I imports grant data from IMPAC II for simpler, more customized viewing. We use the information to analyze, review, and decide which grants we are going to fund. Applicant name, birthdate, phone number, e-mail, and address are included; contact info could be business or personal. Submission is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All information is extracted from IMPAC II - all consent and notification is handled by IMPAC II.

The system does not have any notification and consent processes in place in addition to the IMPAC II procedures.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Everyone who comes on the NIH campus must have an identification badge or register as a visitor. Physical access to all server rooms is restricted, brass key required.

Data is stored on the system in folders with logical access appropriate to the data. Domain controls restrict access. Folder owners are responsible to authorizing access for individuals and adding to existing permission groups.

Access to the files and databases is through userid and password as enforced by NIH active directory. An additional userid/password challenge is presented when logging in to the database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Internet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): Old:
2004 UPI 009-25-01-27-02-8711-00-305-109, Old UPI: 009-25-02-01-02-3036-00
7. System Name (Align with system Item name): NIH NEI Internet Web site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kym Collins-Lee
10. Provide an overview of the system: To share information with the public about vision research and eye diseases and disorders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Mailing list and contact information for those requesting information from NEI's Office of Communications. 09-25-0106

A separate email list is maintained by the subscribers. It contains only the email address of the subscriber.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Contact information is voluntarily collected. Information collected is only the information necessary to mail pamphlets or other printed information. Email address is voluntarily entered if the user joins an email list.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is submitted voluntarily, consent is assumed when contact information is submitted. Individuals may request corrections to or be removed from the email list.

There are no processes in place to notify users when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Requests for information, name and address, are only available to NEI staff.

Email addresses on the email list are maintained by NEI staff and by specific request of the subscriber.

The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus outbreaks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Intranet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): National Eye Institute (NEI) Intranet
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anna Harper
10. Provide an overview of the system: The NEI Intranet Website is an information sharing site dedicated to providing only NEI users with vital information about NEI as an organization as well as useful administrative information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: N/A - No PII collected or dissemenated
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All security controls can be found in the NEI GSS C&A SSP. The NEI Intranet falls under the NEI GSS and inherits all its controls.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All controls can be found in the NEI GSS SSP.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI NEI eyeGENE [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/3/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NEI eyeGENE v6
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Santa Tumminia
10. Provide an overview of the system: The eyeGENE system stores phenotype, genotype, patient demographic, and other administrative data collected from various types of participating users. Sharing this information among clinicians and researchers allows the analysis of larger datasets that are necessary to identify novel genetic risk factors for ocular diseases, and answer pharmaco-genetic and epidemiologic questions of ocular disease.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The eyeGENE system is accessed by four classes of users: clinical, CLIA Lab, central administrators, and researchers viewing anonymized data through the analytical interface. The last category of user never has access to any PII.

Clinical users have full access to PII for the patients of their own clinic. This PII would be maintained and accessible to all such users via medical records in their clinic.

All CLIA users have IRB clearance that requires close protection for any PII they may view. Nevertheless, CLIA users do not see the name, address, phone number, or other related identifying information concerning a patient for whom DNA has been shipped for processing. The only identifying information that a CLIA lab sees for a patient is race, sex, and date of birth. Race and sex are required to be accessible as these are related to the genetic test results being processed. DOB is required to ensure that the DNA tube being processed is in fact for the correct patient. Once again, all CLIA lab users must have IRB clearance, which ensures protection of these small pieces of PII data.

eyeGENE central administrators, all of whom are staff of the NEI, have access to full name, address, phone number, race, sex, and DOB for patients, as these are needed for various eyeGENE functions. All such staff who have access to this data are subject to rigorous security screening and all are authorized to view such PII data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The eyeGENE system collects data for phenotypes, genotypes, tissue specimens, medical images, consent forms, patient demographics, specifications for event-triggered emails to selected eyeGENE users, dynamic metadata defining clinical questions for each diagnosis, plus supporting administrative and additional data. This data is collected to allow researchers to analyze correlations between phenotypes and genotypes for inherited eye disorders, and also to manage the real-time collection and validation of such data as entered by multiple eyeGENE partners. This information is shared with individually identifiable data fields only by those authorized users directly involved in handling this information, including clinicians who perform exams on this patient. Aggregated and anonymized data, containing no PII data, will be made available to authorized users with a research interest in this data. A limited set of PII is collected for patients, primarily in fields for name, address, phone number, race, sex and date of birth. Access to PII is carefully controlled and protected, with access only by authorized users and multiple layers of security protection as well as audit tracking for all system functions. Submission of this limited set of PII for patients is mandatory, as clinicians must have access to such information for appropriate patient care.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A written, signed consent form is required for patients to participate. For each participating clinical organization collecting data, the phone number of the organization and the email of at least one staff member of the organization will be kept as a contact information should some intrusion into eyeGENE that could compromise privacy be detected.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The eyeGENE system is accessed by four classes of users: clinical, CLIA Lab, central administrators, and researchers viewing anonymized data through the analytical interface. Each class has its own distinct level of access and verification.
Technically, the system design of eyeGENE contains multiple protections to ensure that all data, including PII, is available only to authorized users. These security protections are designed to high government standards, and are closely reviewed for each new release of the eyeGENE system. In addition, an audit log is maintained tracking each time any user accesses PII, which serves as a double-check to track who viewed such data.

Physically, all eyeGENE data is stored on CIT servers, hosted at NIH, behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI NextGen
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI NextGen
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elizabeth Murphy
10. Provide an overview of the system: The NextGen system (COTS from NextGen Healthcare Information Systems, Inc.), is a highly customizable system for the capture of clinical data. The NEI has implemented this system as a clinical research database, which is used by all authorized clinical personnel for the real-time capture of clinical research data in the NEI outpatient clinic. This data includes demographic, medical history, medication and ophthalmic data. All data in the system is collected as part of IRB approved clinical research protocols which govern its use.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is shared for the purpose of clinical research, as part of IRB approved protocols involving members of different ICs.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NextGen system is used for the real-time capture of clinical research data in the NEI outpatient clinic. This data includes demographic (including PII), medical history, medication and ophthalmic data. All data in the system is collected as part of IRB approved clinical research protocols which govern its use. The collection of personal information is mandatory for enrollment in a clinical protocol, however said enrollment is completely voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Within an ongoing clinical protocol, changes to the protocol, including changes in how the data from the protocol will be used, can trigger the need to re-consent the patient. This re-consenting process informs the patient of the changes. Data from a terminated clinical protocol can be re-used with the permission of the IRB, although it would be de-identified before re-use unless the patient was contacted to re-consent. The method for contacting the patient would be determined by the IRB based on the information which was to be included in the research analysis.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to the PII on the system is managed through the process of only granting login accounts (user name, password and/or PIN) to authorized clinical personnel. Logins are managed as security groups to further manage the level of access, ranging from read-only for low-level support staff to full access for system administrators. However, because of the interface from the hospital admissions department, all local changes (changes by users with login access) to demographic information (name, address, DOB, etc) will be over-written by the patient authorized changes transmitted from the NIH CC admissions department.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHSPIA Summary for Posting (Form) / NIH NEI Oracle Password Changer
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Oracle Password Changer
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Don Smith
10. Provide an overview of the system: Enable users to change their own Oracle passwords without logging on to Oracle. This application runs internally and adheres to the NIH password policy. The system does not collect, store, or disseminate PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system requires the user's Oracle username and password, so they can update their password periodically for good IT security. Users can be NEI staff, including employees and contractors. The information contains no PII. No PII can be used to substitute for a username or password, and rules are strict enough that it is unlikely anyone will use PII for their password.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 2/16/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Property Forms
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Property Forms
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Cheyanne Keene
10. Provide an overview of the system: This system allows NEI staff to electronically request a property pass, property transfer, move request, or surplus request. This system was designed as a means of speeding up the process of these requests. The requests do not require the collection of personal information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Basic information such as name, location and phone number are gathered. Information is imported from the NIH Enterprise Directory for NEI staff only. Other information collected includes lab/branch, property custodian, specific property item details (decal, manufacturer, model, and serial) and CAN number. This information is used to process the specific request within the NBS Property. Contact information is required for the process, but this system does not contain PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, store, or disseminate PII. All relevant administrative, technical, and physical controls are inherited from the NEI GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 3/11/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Recognizing Extraordinary Work and Rewarding Distinguished Service (REWARDS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: none
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NEI Recognizing Extraordinary Work And Rewarding Distinguished Service (REWARDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debra Milans
10. Provide an overview of the system: database and web interface to submit, route, and approve incidental award nominations
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: staff names, work contact info, and award justification and approval information, to automate workflow of the award nomination and approval process; there is no PII
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): NA
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NEI Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Marilyn Laurie
10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool that enables NIH ICs to manipulate and report on financial transactions downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) Appointment and authority is given to the National Institutes of Health under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.

The SOFie application supports the efforts of several offices and branches within NEI, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Grantee and contractor (NIH grant recipient and contractor) information maintained comprises: name and financial account information. User (NIH employee) information maintained comprises: name, business phone numbers, email addresses. NEI accounting transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) The data is used to plan, track, and report on NEI fiscal budgets.

The SOFIE system collects First Names, Last Names, Business Phone Numbers, Fax Numbers, and Email Addresses of its users voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No processes are in place to notify and obtain consent from the individuals whose information is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.
When applying for grants or contracts, applicants are informed that information is collected for accurate identification, referral and review by program managers. Refer to the system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV
Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)
Administrative controls: Weekly backups, weekly log file checks, warning banners, database management
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Telework
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NEI Telework Application
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Trevor Peterson
10. Provide an overview of the system: NEI Telework Application is a NEI Automated System that allows for the submission, routing, and approval of telework requests. It is an institute-wide, mandatory, automated system that replaces a manual process.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosures are made in accordance with SOR # 09-25-0216
Names contact information of individuals are collected and may be shared within the Institute or division in order to carry out the business process.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system is used to request approval for telework and store agreement (schedule, work arrangement, justifications) and necessary contact information (name, work org, address, phone, fax, e-mail, home address, phone, fax). Other than names and contact information of applicant employees, and the names and e-mail addresses of the approving officials, it tracks no other personally identifiable information. The workflow process involved allows the position and disposition of a task or activity (with whom, when) to be identified in the organization. Information is obtained voluntarily.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The IIF contained in the system is that of employees and contractors of the Institute. This information was obtained voluntarily from the employees and is used to manage administrative tasks within the department. There is no process in place to notify individuals of how their IIF will be used or if major changes occur.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted; combination or brass key is required.

Data is stored on the system in directories with permissions appropriate to the data and reviewed by the system administrator. The operating system enforces access based on the userid.

Access to the files and databases is through userid and password as enforced by the operating system. An additional userid/password challenge is presented when logging in to a database.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI Transgenic Mouse Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NEI Transgenic Mouse Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Wawrousek
10. Provide an overview of the system: The transgenic mouse database is a central repository for information about transgenic mice we are maintaining, and have maintained, in the NEI Intramural Research Program (IRP). It also tracks frozen mouse lines. Since the NEI Genetic Engineering Core tracks thousands of mice, and thousands of frozen samples, it is absolutely essential to have this information in an orderly database from which data can easily be retrieved. The database consists of multiple data tables in an Oracle database. The front end is accessed via a set of programs in MSAccess, and there is a web interface which allows IRP investigators to retrieve information about their mice directly from the database. The system does not involve PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A: The system does not collect, store, or disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) Most of the information in the database is generated by the Genetic Engineering Core (GEC). It deals only with investigators' mice and frozen mouse lines, and all information is only for government use. We do have investigators' names and their NIH laboratory and section affiliation. No personal information is maintained. (2) We use the information internally only to track GEC services provided to individual investigators. (3) As stated in (1), the system contains only the name of the federal investigator and his/her NIH laboratory/section affiliation. (4) Not applicable.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A: The system does not collect, store, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--The system does not collect, store, or disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NEI VISION Network Members Only
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/6/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): VISION Network Members Only
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kym Collins-Lee
10. Provide an overview of the system: The purpose of the VISION Public Information Network is to communicate vision research results to the public through its grantee institutions. Public Information Officers from NEI grantee institutions work with the NEI to develop ongoing programs to educate the public about the benefits of vision research. The Members Only section allows members to access special media materials and to post news release, projects and events; and advertise job opportunities.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): (1) Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

(2) Disclosure may be made from this system of records by the Department of Health and Human Services (HHS) to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has any interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Names and e-mail addresses are used by the NEI staff and grantees to access the system to update the information and add new study descriptions. Names and e-mail address are required for the user to access the VISION Network Members Only section. Contact information of list members is available only to each other.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A statement is included on the web site indicating the only usage is for the subscribers to communicate with each other. The only information collected is that supplied by the subscriber. If any change of information usage is made the subscribers will be contacted via email.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The server containing the VISION Network Members Only section is maintained by an NEI contractor who follows guidance from NSA, NIST, SANS, and CERT to maintain the security and integrity of the system.

Information contained in the lists is maintained by NEI staff and by specific request of the subscriber.

The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus outbreaks.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Trevor Peterson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Attention Deficit Hyperactivity Disorder Database [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-9199-00-404-138
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: not applicable
6. Other Identifying Number(s): not applicable
7. System Name (Align with system Item name): NHGRI Attention Deficit Hyperactivity Disorder Database (ADHD)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Maria Acosta, MD
10. Provide an overview of the system: Database of demographic and clinical research data on ADHD (Attention Deficit Hyperactivity Disorder).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is shared among members of the ADHD research team. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Name, date of birth, mailing address, phone numbers, medical notes, email address, family and blood sample accession numbers, questionnaires completed by study subjects. Information is given voluntarily.

This research study on the genetics of Attention Deficit/Hyperactivity Disorder is collecting information from families with affected children in order to better understand the impact of genetics on the transmission of the disorder, and its manifestations.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Patients and/or parents sign an IRB (Internal Review Board) informed consent form mailed to them and mailed back to the research study coordinator. Patients and/or parents are informed that protocol related information will be used for research purposes and restricted to study team members only. Families that agree to participate are contacted by the study coordinator. No changes in the system or modifications in the database have been done from the original design. No modifications are expected. Currently no reason to re-contact families that have finished the data collection part of the study.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access is limited to research team members only; files backed up regularly and back up files stored offsite; user ID and password required; firewall present; accounts locked after five minutes of inactivity, computers in locked offices
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Career Resource Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 0
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): no
5. OMB Information Collection Approval Number: 0
6. Other Identifying Number(s): 0
7. System Name (Align with system Item name): NHGRI Career Resource Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Easter
10. Provide an overview of the system: The National Human Genome Research Institute (NHGRI) has developed an interactive on-line Genetic and Genomic Careers Resource Tool. The main goals of the web site are to educate and engage the audience in understanding what “genomics” is and to identify and describe the careers that exist now and may exist in the future in these highly active and emerging fields of science.

The web site is designed to provide Internet access to:
Inform students about possible careers in genetics and genomics;
Show the relationship between genetic careers and other disciplines (i.e., science writing);
Provide a resource for students, career counselors, parents, and teachers;
Provide viewers with a basic understanding of important information about genetics and genomics research; and
Expose the audience to professionals doing cutting-edge science.

Web site visitors will have the option to create their own “personal” web page within the site (which will be password protected) by setting up a logon profile. Personal pages will allow owners to create their own personalized list of the careers that they are most interested in and to rank their site preferences. Users will have the option to utilize this feature of the web, but will not be required to create a profile in order to use the site itself. Users may create a profile by creating a username and password that will allow them to access the site. User login information will not be managed by this site. If the user name and password is forgotten, the user will have to establish a new set of credentials. The user has full control of his/her personal page; NIH will not collect any information to manage these pages.

 

Users of this site can not customize their personal pages to contain any contact information, links or photos. The personal page only tracks choices made from the site while the person is on the site.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Registration information for setting up a personal profile/web page includes a user defined username and password of the user's choice which will be maintained on the server. This information is needed only if the user creates a personal web page, and wants to access it at another time. Creating a personal profile is not required (is voluntary). No IIF is collected or stored on the system. The information provided is about genetic careers and other disciplines (i.e., science writing).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Community of Genetic Educators (CoGE)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Community of Genetic Educators (CoGE) NIH
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jeff Witherly
10. Provide an overview of the system: The "Community of Genetic Educators" web site was created to help connect genetic educators online. It is a forum for information sharing. With so many resources available, it is sometimes difficult for educators to know what will work in the classroom. This web site may be used to find resources, to recommend resources, learn from other members in similar situations, act as a mentor to other members, submit helpful lessons learned and resources, and work with the education team at the NIH Genome Institute (NHGRI) in reviewing and refining learning tools.

Each site visitor is asked to register on the first visit. Registration includes setting up an account with password, name, email address, state/country, zip code, language, time zone, current education position, type of school info, teaching experience and instructional focus. Voluntary information that further defines the visitor includes affiliations, a text box for a biography and the option to add a photograph.

After registration the visitor is given immediate access to the site which includes many resources and a messaging forum.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: To register for site access, the following information is mandatory: First and last name, email address, country, state, zip code, language, time zone , current education position, other positions, type of school, minority serving institution, location, school level, teaching experience, and instructional focus. Of the information required, name and email address are considered to be information in identifiable form (IIF).
The following information is voluntary: affiliations, biography, photo. A photo is considered to be information in identifiable form (IIF).

The "Community of Genetic Educators" web site was created to help connect genetic educators online. It is a forum for information sharing. With so many resources available, it is sometimes difficult for educators to know what will work in the classroom. This web site may be used to find resources, to recommend resources, learn from other members in similar situations, act as a mentor to other members, submit helpful lessons learned and resources, and work with the education team at the NIH Genome Institute (NHGRI) in reviewing and refining learning tools.

Each site visitor is asked to register on the first visit. Registration includes setting up an account with password and includes the mandatory information listed above. Voluntary information that further defines the visitor and will better introduce this person to others visiting the site.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is an extensive Privacy statement displayed on the registration page. Additional information is made available through a link called “Privacy” displayed on each web page, which includes the following:
Personally Provided Information
Information Required For Membership:
We require each member to enter a limited amount of personal information as part of the registration process of the CoGE web site. This information is typically required as part of our NHGRI educational course registrations, and will be used at the CoGE for contacting CoGE members about events, opportunities, and new educational products of value.
We have made every attempt to make the required information as minimal as possible for members. This information includes: your name, your email address, country, state, zip code, and current educational position (teacher, administrator, other). We will also ask you to choose a member name and a member password.
Your real name, and your email address are not shared online in the CoGE. Only CoGE administrators have access to this personal information. Members will only know your member name and your CoGE email address.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The amount of IIF collected is minimal, only that which is absolutely needed to meet the needs of the system's purpose.

Registration information is not available to the users of this site unless they chose to share with one another. This voluntary sharing of information is not being managed by the system.

From an administrative point of view, only a limited number of staff have access to the IIF. Support personnel will have access for maintenance purposes. The system owners and administrators will have access for the creation of aggregate reports. A well constructed set of rules of behavior are in place for all who have access to the IIF.

The technical and physical aspects are properly cared for by placing the system on a secured server, in a secured location. A separate C&A was completed for the server that houses this application by the IT staff.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Edie
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/14/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHGRI Edie
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patricia Messick
10. Provide an overview of the system: Employee Database System Internet Edition (EDie) is the web-based and enhanced version of the VEDS. EDie, a client server application, provides integrated, next generation solutions with web-based access to employee management data. Personnel information is funneled through the HRDB, NED, and FPS databases to EDie, thus providing administrative staff with up-to date information on all personnel. This information is important to ensure renewals are processed in a timely fashion, new hires are captured, FTE/Non-FTE projections, as well as ensuring NHGRI remains equitable in our pay structure for all positions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDiE tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system, Fellowship Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports requested by the NIH Director, the IC Director, and other management staff, as requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF in the system is downloaded from the HRDB, FPS, nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is used is relayed to employees via official notices from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF stored in EDiE is accessed by a very limited number of administrative staff with a “need-to-know” status. EDiE is password protected and sensitive data is encrypted. The system is located on a server in a secure server room behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI LabMatrix
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/24/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no/a
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: not applicable
6. Other Identifying Number(s): not applicable
7. System Name (Align with system Item name): Labmatrix
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr Gretchen Gibney
10. Provide an overview of the system: Research and clinical database which contains information related to clinical and research laboratory data collection and findings from Institutional Review Board study protocols. NHGRI professional medical staff (MD, RN, Genetic Counselor) and scientific laboratory personnel (PhDs, technicians, data managers) access for research purposes only.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Restricted to research. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Research and clinical database of patient PII including demographics (e.g., address, date of birth, gender), study enrollment and consent information, medical records, test results, medical record number, photographic identifier, email address, employment data. IIF contained. Information submission is voluntary. Information is used for research purposes only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Individuals whose PII is in the system have provided it voluntarily for research purposes with implicit consent and/or explicit consent by way of an Institutional Review Board (IRB) approved consent form. In the event of significant changes in disclosure or usage of data collected under the authority of an IRB consent process, individuals would be re-consented per IRB guidance.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access is PIV card/PIN restricted to authorized users, and administrative and technical access controls for each user are specified individually on a least privilege basis. All data transmissions are encrypted, all transactions are monitored, and application and database server are housed in a locked, secure setting.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI NHGRI Twinbrook Data Center [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/30/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NHGRI Twinbrook Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ed Whitley
10. Provide an overview of the system: The system is a General Support system (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: 
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI NHGRI Two Democracy Data Center [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/30/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHGRI Two Democracy Server Room
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ed Whitley
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): no
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NHGRI Status of Funds Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ann Fitzpatrick
10. Provide an overview of the system: An organizational reporting tool that allows an organization to manipulate and report on financial transactions downloaded from the NIH Central Accounting System. The information is general accounting info by category, with totals by category, and has no info specific to employees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from CAS/Central Accounting System mainframe and is specific to NHGRI/OD Office for its fiscal year operations. The information is general accounting info by category (ex. wages), with totals by category, and nothing specific to individual employees. The system contains no PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Trainee Tracking Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/13/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: not applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: not applicable
6. Other Identifying Number(s): not applicable
7. System Name (Align with system Item name): Trainee Tracking Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dave Kanney and/or Bill Pavan
10. Provide an overview of the system: The system supports the overall training mission of the intramural program through the monitoring and tracking of trainees at all levels. The database enables the ITO (Intramural Training Office) to create and manage records for all trainees. A record of each trainee contains name, degree, gender,race, department and mentor and is maintained to capture aggregate demographic information, to track the progress of individual trainees, and to manage follow-up surveys, annual reviews, and exit interviews critical for the evaluation of the training program. The information in the database aggregated across the data set, presents a snapshot of the size and demographics of the trainees each year.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Annual review dates, branch, position title, EOD (Enter on Duty) date, merit award data, mentor’s name, name, gender, race/ethnicity for diversity and evaluation purposes. The system contains IIF and submission of gender, race/ethnicity is voluntary.

The information is used to track the progress of individual trainees, and to manage follow-up surveys, annual reviews, and exit interviews.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Any changes in the system would not change the data, therefore, there is no need to notify and obtain consent.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Database secured behind locked doors, login/password/ ID protected with very limited 'need-to-know' users.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Undiagnosed Disease Program (UDP)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NIH Undiagnosed Disease Program (UDP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Adams, M.D., Ph.D., Building 10, Room 10C103B, NIH Bethesda Campus, 20892. Phone 301 402 6435
10. Provide an overview of the system: Microsoft SharePoint will be used as a tool to store data so that medical information related to the Undiagnosed Disease Program (UDP) can be shared easily with medical staff involved in the UDP program. Those who will have access are NIH credentialed clinical providers and administrative persons who handle identifiable clinical data in other forms (for example, UPD-associated non-clinical CRIS users).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. Collected information will include such items as scanned medical records sent to the NIH, participant photographs, and binary files from tests that cannot be stored in the available clinical information system, e.g. electroencephalogram data.
2. The information will be stored in order to provide access to NIH clinical staff who need to review the extensive medical histories associated with typical UDP participants. Such review will allow the users to make decisions about accepting individual participants, and to plan for the care of participants who will travel to the NIH to participate in the UDP program.
3. The information will contain PII
4. Participation in the UDP program is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The data contained in this system is collected in accord with the clinical consent used for the UDP program. The original copy if the information is the hard-copy that is sent by the participant to the NIH. The Sharepoint copy of the data will be used for the same purpose the original is used for, i.e. review by NIH clinical providers. If new uses of the information are proposed by the UDP investigators, the mechanism of those new uses will involve the hard copies and not the electronic copies on this system. To summarize, the rules for this Sharepoint resource will be forced to be equal to or more restrictive than the rules for the medical record hard copies, thereby allowing the resource to be used within the constraints of the original clinical consent process. Individuals will be given notice of consent electronically.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This application is on a server in our data center. Access is granted by userid and password (the user must be in the NIH employee database). This program inherits all the security controls which are in place at our data center.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carol S. Martin, 301-402-5348
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Clinical Data System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7213-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NHLBI Clinical Data System (CDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: The NHLBI-CDS collects and manages data emanating from clinical studies and allows for monitoring recruitment and tracking patients. It is a multi-tiered, Web-based system where research-related data are entered to facilitate the generation of regulatory reports and data sets for analyses.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical Records Department and are also used to send to the patient’s referring physician. SOR number is 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NHLBI-CDS collects and manages data emanating from clinical studies and allows for monitoring recruitment and tracking patients and analyzing results. Collection of this information is authorized under sections 301, 319F-1, 402, and 405 of the PHS Act which authorize the HHS Secretary to conduct and support research.
The primary use of this information is to track clinical research results for studies conducted at the National Institutes of Health. Information such as patient name, address, medical history, test and procedure results, and other research related information is collected and maintained. NHLBI-DIR uses this information to analyze and report the results of clinical research being conducted within the division. The information collected includes IIF and all patients enrolled on clinical studies sign an informed consent related to their participation in clinical research. Some of the information is used for Medical Record reporting and for providing the patient’s referring physicians with the test results and assessments related to the patient’s visit. Information is provided on a voluntary basis as participation in clinical trial research is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All patients sign an informed consent (paper) related to their participation in clinical research and how their data will be used. There is no process for obtaining consent from individuals whose IIF is in the system when major system changes occur, however this system is an internal system (only available within NIH) and data are de-identified for the purpose of summarizing and publishing research results.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data is maintained in a secure database. Routine access is restricted to authorized employees and contractors only according to the principal of least privilege by the use of user name and password access controls. Additional technical and administrative controls are also employed, including badge access, intrusion detection system, firewalls, virtual private networks, encryption, etc. The NHLBI-CDS staff monitors system access for intrusion detection and reviews audit logs to identify inappropriate browsing or inappropriate database access. Computer security incidents are referred to the NIH Incident Response Team (NIH IRT). Contractors are required to have employment suitability determinations, National Agency Checks, credit checks, and/or background investigations, commensurate with the position. Contractors are also required to sign an NIH non-disclosure agreement prior to being given access to the NHLBI-CDS. Contractors must take the NIH security awareness training.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Council
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): 009-25-01-26-02-7204-00-202-069 (UPI)
7. System Name (Align with system Item name): NIH NHLBI Council
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: The Council web site assists the NHLBI extramural staff and the council board members in preparing for council meetings. The Council system extracts the grant application information from NHLBI Tracking and Budget System (TABS) database and the members assigned to applications from IMPAC II (eRA) database. Council related documents are provided in the system by the divisions. The council members review the applications, view the summary statements and abstracts and make recommendations on the scientific merit of applications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII data.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The Council system does not collect any information. Council is a National Heart Lung and Blood Institute (NHLBI) intranet website that enables NHLBI Council Advisory Board members to review and review their assignments and the NHBLI staff to track the applications discussed at the Council meetings. Council meetings are held 4 times a year. The Council system extracts the grant application information from TABS database and the members assigned to applications from IMPAC II (eRA) database. The council members review the grant applications, view the summary statements and abstracts, and make recommendations on the scientific merit of applications. The website contains only Federal grant data and it does not collect, maintain, or disseminate PII data. Council does not require the submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI EDie
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHLBI Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christopher Bourdeau
10. Provide an overview of the system: EDie is an intranet based application primarily used to manage and track personnel information. The application downloads this information from the Human Resources Database (HRDB) weekly. Information entered into the EDie database is not uploaded into the HRDB. Due to the sensitivity of the personnel data in this system, access to the EDie database is limited to specific users within the IC. Users are assigned roles that restrict what data they may view and what functions they can perform. Access privileges are enforced through authentication within the database.

Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118,4308,4506,7501,7511,7521 and Executive Order 10561
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal senior administrative use only and will not be shared with other entities. Please refer to SOR # 09-90-0018, Personnel Records in Operating Offices, HHS/OS/ASPER
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie tracks all information pertinent to a personnel file for the purposes of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are completed in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary quality for various hiring mechanisms; d) providing report as requested by the NIH Director, the IC Director, and other management staff; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF in the system is downloaded periodically from the HRDB. Changes to the HRDB or changes in the way information is used are relayed to employees via official notice from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF data is maintained in a secure database. Routine access is restricted to authorized employees and contractors only according to the principle of least privilege by the use of user name and password access controls. Additional technical and administrative controls are also employed, including badge access, intrusion detections systems, firewalls, virtual private networks, encryption, etc.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Extramural Program Development (EP)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7204-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Extramural Program
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: Manage NHLBI Extramural Research Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Grant data is available to reviewers during submission/evaluation of potential grants. See SOR 09-25-0036
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Collection of this information is authorized under 5 U.S.C 301. Information collected by the system includes: funding applications, awards, trainee appointments and advisory committee records. The PII collected to contact business partners includes name, personal address, personal phone number, and personal email. The primary use of this information is for government personnel to conduct grant application reviews, approvals, and to create reports related to grant applications. Submission of this information is mandatory for grant applications to be processed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There is no process to notify or obtain consent when there is a major change to the system that affects disclosure and/or data uses since the notice at the time of the original collection.

Applicants are notified data is collected when they enter it into the system, or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system has been subject to a Certification and Accreditation (C&A) process, during which, all technical, administrative and physical controls were evaluated. These controls are defined in NIST publication 800-53 Recommended Security Controls for Federal Information Systems.

The system is housed in a secure server room, which is located in a building protected by security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict administrative controls are in place to ensure the system is operated in a safe, consistent manner (least privilege, separation of duties, background investigations, etc…).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Internet Animal Study Proposal
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NHLBI Internet Animal Study Proposal (IASP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: The IASP application supports the creation and management of NIH compliant animal study proposals. This program is used by all intramural researchers at NHLBI to create and submit animal study research proposals. IASP is also used by the Animal Care and Use Committee (ACUC), Veterinarians, Investigators and research support staff to comply with requirements regarding research conducted at NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The IASP application supports the creation and management of NIH compliant animal study proposals. This program is used by all intramural researchers at NHLBI to create and submit animal study research proposals. IASP is also used by the Animal Care and Use Committee (ACUC), Veterinarians, Investigators and research support staff to comply with requirements regarding research conducted at NIH with respect to animals. It does not contain any PII data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not Applicable.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not Applicable
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Internet Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-7299-00-305-109
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106, 09-90-0024
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Web Site
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matt Raschka
10. Provide an overview of the system: Disseminates health information and information and policies related to NHLBI Extramural and Intramural Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Credit Card information is transferred to Verisign for cost recovery.
Information from Techfinder may be shared the NIH Office of Technology Transfer, which is responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Voluntary; contains IIF:
o names and mailing addresses, email addresses, phone and FAX numbers for delivery of purchased items, purchase confirmation, verification, and updating information,
o credit card numbers for: purchase of items (cost recovery),
o Login credentials needed to update staff profiles

Voluntary; does not contain IIF
o Names of organizations and description, general job titles, organizational unit, research interests, contact information, information about an activity (including dates), expected audience, and setting (e.g., healthcare, work site, community, media, etc.) for posting on the Web, publicizing local activities, or developing interest in NHLBI activities, also for staff recruitment of new postdocs and principal investigators.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The individuals are contacted by either email or US Post, depending on the information in that particular system

Notification of intent to use information is available on the Web application or Web sites.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: Yes
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Intramural Research Application Development (IR)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7203-00-202-069
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI Intramural Program
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: Manage NHLBI Intramural Research Programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Clinical test results are available to authorized researchers and caregivers. See SOR 09-25-0099
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Collection of this information is authorized under 42 U.S.C. 241, 248. The system collects medical treatment record data. This information is used to provide evaluations and treatments to patients, and for subsequent medical research. The researchers and caregivers will have access to this information. Submission of this information is mandatory for all medical research patients.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All patients sign an informed consent (paper) related to their participation in clinical research and how their data will be used. There is no process for obtaining consent from individuals whose IIF is in the system when major system changes occur, however this system is an internal system (only available within NIH) and data are de-identified for the purpose of summarizing and publishing research results.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system has been subject to a Certification and Accreditation (C&A) process, during which, all technical, administrative and physical controls were evaluated. These controls are defined in NIST publication 800-53 Recommended Security Controls for Federal Information Systems.

The system is housed in a secure server room, which is located in a building protected by security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict administrative controls are in place to ensure the system is operated in a safe, consistent manner (least privilege, separation of duties, background investigations, etc…).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Lab of Cardiac Energetics
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200 (research)
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH NHLBI Laboratory of Cardiac Energetics (LCE)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zeyad Mobassaleh
10. Provide an overview of the system: The LCE MRI Database is used by the Magnetic Resonance Imaging (MRI) section of LCE at NHLBI. The system was initially developed by the LCE group as a Microsoft Access database. The system was converted by the Application Development Support Branch (ADSB) to a secure web based clinical database that collects data for patients in Hjartevernd Hospital (Iceland), Suburban Hospital (Bethesda, MD) and NIH Clinical Center (Bethesda, MD). The system adheres to HIPAA standards and includes external interfaces to the NIH Central Fax Service and DICOM Nodes on the network.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Hospital personnel for clinical and research purposes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects the following data elements: First Name, Middle Name, Last Name, Medical Record Number, Medical Record number for Suburban Hospitals, Medical Record number for Baltimore Hospitals, Date of Birth, Gender, Street, City, State, Zip, Home Phone, Work Phone, Email, Ethnic Group, Race.
The data is used for clinical operations and research purposes. The above listed Data Elements do contain PII data. The primary use of this information is to track clinical research results for studies conducted at the National Institutes of Health. Information such as patient name, address, medical history, test and procedure results, and other research related information is collected and maintained. NHLBI-LCE investigators use this information to analyze and report the results of clinical research being conducted within the division. The information collected includes some PII and all patients enrolled on clinical studies sign an informed consent related to their participation in clinical research. Some of the information is provided to the patient’s referring physicians with the test results and assessments related to the patient’s visit. Information is provided on a voluntary basis as participation in clinical trial research is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Each subject that participates on a clinical trial and provides data as a result must sign a consent form that indicates what PII is being collected and how that data will be used or shared. Once received, the forms are scanned into the system. The original form is kept on file in the patient's medical file and a copy is provided to the patient for their own records as well.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data is maintained in a secure database. Routine access is restricted to authorized employees and contractors only according to the principal of least privilege by the use of user name and password access controls. Additional technical and administrative controls are also employed, including badge access, intrusion detection system, firewalls, virtual private networks, encryption, etc. The NHLBI-LCE support staff monitors system access for intrusion detection and reviews audit logs to identify inappropriate browsing or inappropriate database access. Computer security incidents are referred to the NIH Incident Response Team (NIH IRT). Contractors are required to have employment suitability determinations, National Agency Checks, credit checks, and/or background investigations, commensurate with the position. Contractors are also required to sign an NIH non-disclosure agreement prior to being given access to the NHLBI-LCE. Contractors must take the NIH security awareness training.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI NHLBI Hosted Systems GSS [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 1/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): NO
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NO
7. System Name (Align with system Item name): NHLBI Hosted Systems GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jason Cate
10. Provide an overview of the system: The NHLBI Hosted Systems GSS supports approximately 1,500 users at the NHLBI. The NHLBI Hosted Systems GSS is located in the Customer Service Area (CSA) 2 in the NIH Data Center in Building 12 on the NIH main campus in Bethesda, MD and at the NIH Consolidated Co-Location Site (NCCS) at the Qwest data center in Sterling, VA.

The NHLBI Hosted Systems GSS comprises servers and SANs constituting a General Support System.

Although many applications reside on servers in the NHLBI Hosted Systems, the Data Center itself does not process or store any IIF. (Individual application PIAs will address any and all IIF.)
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NHLBI Hosted Systems GSS shares PII data with the Clinical Data System (CDS). The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical Records Department and are also used to send to the patient’s referring physician. SOR number is 09-25-0200. Hosted Systems GSS shares PII data with Extramural Program Development (EP) for grant purposes. Hosted Systems GSS shares PII with the NHLBI Internet Website for Credit Card information, which is transferred to Verisign for cost recovery. Information from Techfinder may be shared the NIH Office of Technology Transfer, which is responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024. NHLBI Hosted GSS shares PII data with NHLBI Intramural Research Application Development (IR) regarding clinical test results shared with authorized researchers and caregivers. See SOR 09-25-0099.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Patient records, patient medical records numbers, names, addresses, DoB, email addresses. To support the mission of the NHLBI for science and research. The information collected is PII in nature. All of the information provided by the user is given on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The NIH OCIO office has procedures on dealing with PII breach/spillage for incident procedures for the ISSO to follow. NIH has a process in place for collecting PII from users via a consent form. Information will be used and shared to support the mission of the NHLBI for science and research. Users are given consent in a written notice.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All users must go through Rules of Behavior training before being granted access to a system. Identification and authentication mechanisms are in place to prevent unauthorized access to data. Data centers are protected by guards, badge readers, iris scanners and access is only provided to administrators of the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI NHLBI LAN GSS [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 1/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: NO
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): NO
5. OMB Information Collection Approval Number: NO
6. Other Identifying Number(s): NO
7. System Name (Align with system Item name): NHLBI LAN GSS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jason Cate
10. Provide an overview of the system: The NHLBI-managed LANs general support system (GSS) is owned and maintained by the Information Technology Resources Branch (ITRB) of the NHLBI Center for Biomedical Informatics (CBI). NHLBI LANs assets are located in buildings 10, 14, and 31 on the NIH main campus in Bethesda, MD as well as in the off-campus Rockledge One and Two buildings in Bethesda, MD and the 5RC building in Rockville, MD. The NHLBI LANs GSS provides network connectivity for NHLBI information systems, applications, and users.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The LAN shares PII data using switches to route the information to the NHLBI network resources. The NHLBI Hosted Systems GSS shares PII data with the Clinical Data System (CDS). The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical Records Department and are also used to send to the patient’s referring physician. SOR number is 09-25-0200. Hosted Systems GSS shares PII data with Extramural Program Development (EP) for grant purposes. Hosted Systems GSS shares PII with the NHLBI Internet Website for Credit Card information, which is transferred to Verisign for cost recovery. Information from Techfinder may be shared the NIH Office of Technology Transfer, which is responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024. NHLBI Hosted GSS shares PII data with NHLBI Intramural Research Application Development (IR) regarding clinical test results shared with authorized researchers and caregivers. See SOR 09-25-0099.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Patient records, patient medical records numbers, names, addresses, DoB, email addresses. To support the mission of the NHLBI for science and research. The information collected is PII in nature. All of the information provided by the user is given on a voluntary basis.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The NIH OCIO office has procedures on dealing with PII breach/spillage for incident procedures for the ISSO to follow. NIH has a process in place for collecting PII from users via a consent form. Information will be used and shared to support the mission of the NHLBI for science and research. Users are given consent in a written notice.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All users must go through Rules of Behavior training before being granted access to a system. Identification and authentication mechanisms are in place to prevent unauthorized access to data. Data centers are protected by guards, badge readers, iris scanners and access is only provided to administrators of the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NHLBI SOFie
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sandra Gault
10. Provide an overview of the system: SOFie is a web-based application for internal use only to manage expenditures and obligations. The purpose of the system is to monitor expenditures. Program helps project the budget; allows users to know how much money is left in the FY to spend.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor, Description of Expenses, and Purchase Amount.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Survey of NHLBI Constituents’ Health Information Needs and Preferred Formats
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): SORN 09-25-0156
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Survey of NHLBI Constituents’ Health Information Needs and Preferred Formats
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ann Taubenheim
10. Provide an overview of the system: A Web-based survey tool, WebSurveyor, will be used to contact and collect data from NHLBI constituents who have contacted the NHLBI Health Information Center website within the past 3 years. These previous customers will be invited by e-mail to participate in a short online survey. Survey questions ask about respondents’ health information and education needs and format preferences. No personally identifiable information (PII) will be collected from survey respondents. Constituents who choose to complete the survey are identified by e-mail address. Upon completion of the survey, all data tying the assigned identifier to an e-mail address will be destroyed; namely, the contents of the e-mail fields will be erased.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Survey questions ask about respondents’ health information and education needs and format preferences. No personally identifiable information (PII) will be collected from survey respondents.

The survey data will be used to support the NHLBI Office of Communications and Legislative Activities’ efforts in developing a strategic plan. All survey responses are voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All e-mails to potential respondents, as well as each page of the survey will contain the message: “Your answers will be kept completely confidential and not linked to personal or identifying data of any kind. Moreover, your information will not be shared with any other party.”

32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative Security: Only contractor personnel whose duties require the use of the information in the system have access. This includes the system administrator only.

Technical Security: The multiserver architecture is isolated on a dedicated internal subnet separated from both the internal AIR network and the public Internet by an enterprise-grade firewall managed by the AIR Web Hosting Services team. In addition to the firewall, Web Hosting Services has deployed an intrusion prevention system appliance that can employ granular security policies commensurate with the level of risk on a per-host basis. For security purposes, only the Web server itself is accessible from the Internet, and even then, solely over ports 80 and 443 for HTTP and SSL-encrypted HTTP, respectively. The databases are not Internet-accessible, and furthermore, are accessible strictly from within the internal AIR network only to those users whose roles require that they be expressly granted access to these systems. Internal access to the servers may take the form of SFTP to the Web server, Terminal services to any servers, directly via the local console, or via an installed eEnterprise client. Authorized internal users are able to access only those servers to which they need access and only via the methods that are applicable to their specific roles.

The WebSurveyor tool will assign a unique identifier to each potential respondent in the study tied to his/her e-mail address to ensure one response per respondent. That identifier will not be accessible to anyone but the AIR system administrator for the WebSurveyor tool. Upon completion of the survey, all data tying the assigned identifier to an e-mail address will be destroyed; namely, the contents of the e-mail fields will be erased.

Physical Safeguards: The system administrator’s role is to ensure a stable and secure operating environment within which the WebSurveyor tool can function. This includes establishing and executing a long-term vision that guards the security and reliable operation of the system. This includes managing backups of system files and data; installation of patches to ensure system security and stability; monitoring system log files for suspicious activity; assigning server-level access rights to users as needed; and coordinating with vendors to replace and enhance system hardware as needed.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzanne Freeman
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/20/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIA Telework NIA [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/5/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 "Personnel Records in Operating Offices, HHS/OS/ASPER"
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): NIH NIA Telework
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Melissa Fraczkowski
10. Provide an overview of the system: The Telework system in an enterprise system hosted by NIA. This enterprise system is also used by CSR, NHGRI, NIMHD, NIDA and NHLBI. The system supports the federal Telework initiative by providing an online Telework application repository and approval workflow. After an employee completes an online Telework application form, the application moves through an electronic approval process. Upon approval of the application, the applicant receives an email notification of their application status. The applicant then completes an online Home Office Evaluation form. The Telework system also enables automatic renewals, automatic changes, and online termination of telework approval.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-90-0018 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES http://oma.od.nih.gov/ms/privacy/pa-files/09900018.htm for the allowed disclosures of PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The Telework system collects and maintains voluntarily submitted PII needed to support the federal Telework initiative, including employee name,supervisor name, NIH employee badge number, job title and grade, IC, division, building and room numbers, work phone and fax, email address, home address, and home phone and fax numbers. The information is used to manage Telework applications, approvals, renewals, changes, and terminations. The information contains PII. Personal information submission is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All PII in the Telework system is submitted by Telework applicants during the application process. At login, the Telework system displays a Privacy Statement that describes use of collected data.

No processes are in place to notify and obtain consent from the individuals whose PII is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

Refer to the system of record 09-90-0018 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: guards, identification badges, key cards and closed circuit TV. Technical controls: user ID, passwords, firewall, Virtual Private Network (VPN).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Taryn Ayoub
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA Clinical Research Database (CRDB)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAAA Clinical Research Database (CRDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Etienne Lamoreaux
10. Provide an overview of the system: NIAAA CRDB collects and acquires data from CRIS (Clinical Research Information System) and NIAAA intramural laboratories. Authority for the maintenance of the system: 42 U.S.C. 241, 42 U.S.C. 290dd-2, 42 CFR Part 2, and where applicable, nondisclosures will be made consistent with authorization of confidentiality under 42 U.S.C. 241 and 42 CFR Part 2a.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose PII. Refer to SORN 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: CRDB collects patient data that is used to conduct clinical protocols. The information collected from subjects constitutes PII. Information and patient data is obtained from subjects who sign written informed consent forms. Rules and regulations are in agreement with standard practices at the NIH Clinical Center.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from NIH CRIS (Clinical Research Information System); therefore, the notification and consent processes associated with CRIS apply. This data is merged with patient data (PII) collected by NIAAA intramural laboratories. Information and patient data is obtained from subjects who sign written informed consent forms. Rules and regulations for the collection of patient data by NIAAA laboratories are in agreement with standard practices at the NIH Clinical Center.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII stored in NIAAA CRDB is accessed by a very limited number of staff with a “need-to-know” status, mostly consisting of principal investigators and scientific staff responsible for data input and validation. Only authorized users have access to PII data. PII contained in the system is protected through NIH Active Directory account and password management, and inheritied NIH policies and procedures. Secure socket layer protocol (SSL) is used to encrypt data in transit. The system is located in a secure network room behind a firewall. Users receive NIH rules of behavior training. All personnel not having card key access to the server room are escorted and required to sign in. Access to the building and its hallways is recorded on video 24 hours a day (recorded - not CCTV).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA EMPLOYEE DATABASE internet edition (EDiE)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3196-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): Employee Database Internet Edition
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patricia Scullion
10. Provide an overview of the system: EDiE is an intranet based application primarily used to manage and track personnel information. Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal senior administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDiE tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system, nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equality for various hiring mechanisms; d) providing reports to the NIH Director, the IC Director, and other management staff as requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes PII and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is used is relayed to employees via official notices from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII stored in EDiE is accessed by a very limited number of administrative staff with a “need-to-know” status. Only authorized users have access to PII data. PII contained in the system is protected through NIH Active Directory account and password management, and inheritied NIH policies and procedures. Secure socket layer protocol (SSL) is used to encrypt data in transit. The system is located in a secure network room behind a firewall. Users receive NIH rules of behavior training. All personnel not having card key access to the server room are escorted and required to sign in. Access to the building and its hallways is recorded on video 24 hours a day (recorded - not CCTV).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA FINEX
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAAA FinEx
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Casady
10. Provide an overview of the system: The FinEx application is a centralized, internet-based relational database environment that stores data and business rules (procedures) required to maintain the Extramural grant budget. The FinEx applicaiton includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the Extramural program.

In its in-production state, FinEx resides on the NIAAA-FINSOF server as a .Net, web-developed application. Its interdependences on other resources (or dynamically-linked libraries (DLLs)) are fully compiled into the installed version of FinEx on NIAAA-FINSOF. NIAAA-FINSOF serves as the web application. The database on which FinEx is dependent resides on NIAAA reosurces, SQL Server 2000 database server. FinEx utilizes, but is not dependent on NIH CIT resources for supplemental data (e.g. IRDB-an Oracle database warehouse server and DataWarehouse-an IBM mainframe finance data warehouse).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII is obtained from the eRA system in the administration of research grants IAW SOR#09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Financial Grant information. The FinEx application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain the extramural grant budget. The FinEx application includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the extramural program. The type of PII collected and contained in NIAAA FinEx are applicant "names" and is obtained from the eRA system and is a required part of the grants submission process. Since PII is required for the grants submission process, it is a mandatory requirement of FinEx. This PIA is only viewed by the NIAAA Budget Office.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII is submitted as a part of the grants application process. Information used by the NIAAA FinEx is taken from the eRA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the grant application submission process and eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role based security and NIH Active Directory authentication with a user name and password are used, and group access permissions are used to secure the application and it's data. Users are only allowed access on a least privilege, need-to-know basis, and receive NIH rules of behavior training. The system resides behind a firewall and is in a server room with no external access. All personnel not having card key access to the server room are escorted and required to sign in. Access to the building and its hallways is recorded on video 24 hours a day (recorded - not CCTV).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA NESARC3 Study Management System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): Westat Internal Project ID 8690
7. System Name (Align with system Item name): NIH NIAAA National Epidemiologic Survey on Alcohol and Related Conditions III Study Management System (NESARC3-SMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bridget Grant, Ph.D, Ph.D
10. Provide an overview of the system: The information is collected under 42 USC 285n and participation in the NESARC-III is voluntary. The information contains PII and information is shared in accordance with the guidance in the System of Records Notice 09-25-0200. The NESARC-III is a nationally representative survey of the U.S. population (N=46,500). The NESARC-III will collect information on alcohol use practices and alcohol use disorders and their associated physical (e.g. liver cirrhosis) and psychological (e.g. depressed mood) disabilities and also DNA through saliva samples. There are two small methodological components (N=1700) that collect information on reliability and validity. The major purpose of the information is to determine the prevalence, distribution, treatment and health disparities and economic costs and to identify environmental and genetic risk factors and their interactions for these conditions.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information stored in the system is shared in accordance with the routine uses outlined in NIH Systems of Record Notice 09-25-0200.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information is collected under 42 USC 285n and participation in the NESARC-III is voluntary. The information contains PII and information is shared in accordance with the guidance in the System of Records Notice 09-25-0200. The NESARC-III is a nationally representative survey of the U.S. population (N=46,500). The NESARC-III will collect information on alcohol use practices and alcohol use disorders and their associated physical (e.g. liver cirrhosis) and psychological (e.g. depressed mood) disabilities and also DNA through saliva samples. There are two small methodological components (N=1700) that collect information on reliability and validity. The major purpose of the information is to determine the prevalence, distribution, treatment and health disparities and economic costs and to identify environmental and genetic risk factors and their interactions for these conditions. Information collected includes background information, including sociodemographic variables; alcohol use practices, disorders and alcohol related social, psychological and physical consequences; symptoms scales indexing major mood, anxiety, and eating conditions that frequently co-occur with alcohol and drug use disorders; tobacco, medicine and drug use and disorders and related social, psychological, and physical consequences; selected personality traits, including behavior; alcohol, drug, and mental health treatment utilization; medical conditions related to alcohol consumption; care giving roles; discrimination in health care; race-ethnicity; gender; income; sexual orientation; physical disability; acculturation; perceived stress and social support; adverse childhood experiences and intimate partner violence; nativity; generational status; sexual orientation; age at first intercourse; presence of HIV/AIDS and other medical disease; health insurance coverage; and executive functioning.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Individuals whose information is in the system only interact with the system to respond to the surveys. No changes will be made to the information that they provide. Respondents are notified and consent is obtained regarding PII collected from them through advance letters, informational study materials and written notice on consent. The information will be used for research purposes and shared in accordance with the guidance in System of Records Notice 09-25-0200.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information will be secured on the system through access controls, personnel security awareness and training, regular auditing of information and information management processes, careful monitoring of a properly accredited NESARC3-SMS information system, control of changes to the system, by appropriate planning and testing of configuration management and contingency processes, by ensuring that all users of the NESARC3-SMS are properly identified and authorized for access and are aware of and acknowledge the system rules of behavior, by ensuring that any contingency or incident is handled expeditiously, properly maintaining the system and regulating the environment it operates in, by controlling media, by evaluating risks and planning for information management and information system operations, by ensuring that the system and any exchange of information is protected, by maintaining the confidentiality and integrity of the NESARC3-SMS, and by adhering to the requirements established in the contract and statement of work.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA NIAAA General Support System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-0200-01-3109-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIAAA General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jonathan Folkers
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA SOFie
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Status of Funds internet edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Casady
10. Provide an overview of the system: SOFie is a Web based application employing Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several offices and branches within NIAAA, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The application downloads this information from the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is not a source database for other information systems.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from the Central Accounting Mainframe (Data Warehouse Budget and Finance) and is relevant or specific to NIAAA for its fiscal year operations. No IIF information is contained in SOFIE.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Pamela Anderson
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID ARAC Review (ARAC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/18/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-8520-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH NIAID AIDS Research Advisory Committee (ARAC) Review
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 , croghanj@niaid.nih.gov
10. Provide an overview of the system: The ARAC system serves as a communication tool for committee members and the NIAID office that coordinates the meetings. It provides a web accessible interface for DAIDS to:

· post timely information on upcoming ARAC meetings
· receive feedback on concepts from meeting participants (members)
· send emails containing system related information to active users
· maintain a searchable archive of past meetings, concepts, and participants

The ARAC system is a role based secure tool with three different levels of users; administrators, members, and viewers.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information on committee members who particpate in the application review process will be maintained, and may be shared with other authorized users. This includes the user name, degree, title, work address, work phone number, and work email address. Per SORN 09-25-0036, Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process. Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information on committee members who particpate in the application review process will be maintained, and may be shared with other authorized users. This includes the user name, degree, title, work address, work phone number, and work email address. Per SORN 09-25-0036, Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process. Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. Commitee members whose names and contact information is contained on the system have submitted it voluntarily and are informed that it will be used to assist in communication and the review process.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Written consent is obtained from members when personal (contact) information is collected.
The intended use for the information is described in writing at the time of collection.
Members are informed of the use of the application (ARAC), that it will contain their names and contact information. Changes to the system are discussed with all members during business communications, including written correspondence.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.
Physical Safeguards: Physical access to NIH work areas is restricted to employees. Physical access to the Office of Technology Information Systems (OTIS) work areas is restricted to OTIS employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OTIS.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Biological Specimen Inventory II (BSI-II)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/18/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Biological Specimen Inventory II (BSI-II)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tram Huyen, 301.451.2898
10. Provide an overview of the system: NIAID is a data-intensive organization, highly reliant on the effective and efficient management of large volumes of clinical biospecimen data to accomplish its research mission. To address the tracking and management of its clinical biospecimens while ensuring compliance with recent Congressional reporting requirements and other Federal regulations, NIAID is seeking to implement the Biological Specimen Inventory-II (BSI-II) system. This system is operated by a contractor working on NIAID's behalf; Information Management Services, Inc. (IMS),

The BSI-II system is designed to track laboratory specimen inventories from a single laboratory up to an enterprise-level biorepository. The system provides the following capabilities:

· Specimen Management
· Requisition/Workflow Tracking
· Freezer/Inventory Management
· Comprehensive Reporting
· Shipment and Discrepancy Tracking

The BSI-II system runs on all major operating systems and can accommodate a large number of records and concurrent users. The system can be accessed via two implementations: a Java-based client application and a Web-based application.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Researchers who are Authorized users can view the data for research purposes. Note that this system does not match IIF against other computer systems, and no other organizations or systems are dependent upon the IIF contained in this system. Additionally, per SORN 09-25-0200, routine uses of records maintained in the system, including categories of users and the purposes of such uses, are as follows:

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; e.g., disclosure of alcohol or drug abuse patient records will be made only in accordance with the restrictions of confidentiality statutes and regulations 42 U.S.C. 241, 42 U.S.C. 290dd-2, 42 CFR Part 2, and where applicable, no disclosures will be made inconsistent with an authorization of confidentiality under 42 U.S.C. 241 and 42 CFR Part 2a; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions.
Disclosure may be made to a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained.
The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice when: (a) The agency or any component thereof; or (b) any employee of the agency in his or her official capacity where the Department of Justice has agreed to represent the employee; or (c) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is, therefore, deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records.
Disclosure may be made to agency contractors, grantees, experts, consultants, collaborating researchers, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
Information from this system may be disclosed to Federal agencies, State agencies (including the Motor Vehicle Administration and State vital statistics offices, private agencies, and other
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The collection of IIF is a voluntary process that is routinely done as a part of a clinical protocol. The collection of this information and the subsequent handling of that information is detailed in the consent forms associated with a given clinical protocol.

The IIF collected and stored in the BSI-II system may include:
· Adoption Status
· Age
· Date of Birth
· Date of Death
· Date of Last Status
· Deceased Status
· Diagnosis
· Email Address
· Ethnicity
· Family Information
· Medical Notes
· Medical Records Numbers
· Patient Name
· Clinician Name
· Phone Number
· Sex
· Suffix
· Vitals status
· Medications
· Protocol #(s)
· Confidentiality Agreement # or exemption
· Collection Site Name
· Collection Site Address
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Informed Consent is obtained from all participants in writing before they are enrolled in a clinical protocol. The informed consent documents what information is collected and how it will be used, as well as providing a point of contact for each protocol.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured in a similar fashion to that of other data stored in the system. Briefly, security measures include:
Transmission
All communication between the client application and the BSI transaction servers will be encrypted using a 128-bit algorithm. All HTTPS communications, including the web-based client application, will use ASE 256-bit encryption between the client and the server. In addition, IMS will maintain both production HTTP and HTTPS (secure) servers on the Internet for file transfers. The HTTP servers are utilized for day to day file transfers of publicly available data.
System Monitoring
Automated audit trails are monitored on all server-based systems deployed at IMS. File usage logging will be done for files specified by the NIAID. Audit records and server logs will be reviewed daily for anomalies. An automated reporting tool will be used to analyze the server logs to look for abnormal activity. Automated audit trails also play an important part in governing the access granted to users outside the Contractor’s Local Area Network (LAN). A firewall is in place that logs all incoming and outgoing connections to the LAN. This includes connections to the UNIX/Linux workstations and the Windows servers. This log will be maintain and checked for evidence of attempted unauthorized access to the Contractor’s LAN.
Client Application
The BSI-II system maintains a full audit-trail on all data and meta-data modified in the system. This includes what was changed, when, how, and by whom. These logs will be maintained within the database and will be not editable, but will be available for query and review by authorized staff. Access to the system requires a valid username and password. All communication between the client and server uses encrypted sockets to protect the data. Access to system functions are granted by role-based assigned privileges.
Computer Center Administrative and Physical Safeguards
IMS’ Standard Operating Procedure (SOP) for Computer Resource Security details the standards and processes used to ensure the security of the computer resources and data. All IMS employees will be required to read and follow this SOP.

IMS’ computer center has facilities in Silver Spring, MD and in Sterling, VA. The Sterling, Virginia site will be used for production services that require 24/7 accessibility. This site has personnel on site 24-hours a day in a facility that requires a key card and fingerprint for access. The facility also provides protection against fire and flood with highly sensitive monitoring equipment. Generators are available to provide continuous electricity in case of a main power failure.

The Silver Spring computer center is in a separate office with a key coded access lock. Each person authorized to access the computer center has a personal ID and password that must be entered each time the door is opened. A log of any attempt to enter the computer center is maintained. This log is routinely reviewed to identify any potential security risks. Visitors are never allowed into the computer center at either site. Maintenance and repair personnel will be escorted into the computer room and then monitored until all work is complete.

IMS employs firewalls with Intrusion Detection capabilities to secure the network perimeter. The firewalls are continually monitored. Reports are distributed to authorized administrators twice daily for their review. Computer center staff performs weekly security checks using Security Auditor's Research Assistant (SARA), a third generation UNIX-based security analysis tool. IMS routinely reviews the security check results and rectifies any identified potential security vulnerabilities.

Registration of authorized users on IMS’ Network is controlled by the IMS system administrator. To enter the network, the user must have an authorized user ID and a password which must be changed every 90 days. Network privileges are established
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Chem Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Chem Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan
10. Provide an overview of the system: The NIAID ChemDB system provides for the management of chemical and biological databases which serve as tools for the rational selection and discovery of potential therapies for AIDS and opportunistic infections (OIs). The databases contain pertinent published literature and NIAID confidential data and information on the chemical, virological, immunological and microbiological aspects of therapeutic agents for HIV, OIs, and TB, and on microbicides.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The data collected, maintained and disseminated in the NIAID Chemdb is preclinical chemical and biological testing data abstracted from publicly available journal articles, patents from the US Patent and World Patent offices and professional association meetings. The data includes chemical structures, molecular weights, molecular formulas, chemical names, compound identifiers, trivial compound names, names of companies and institutes where the compound was developed, CAS# and NSC# for each compound. Also stored in the database are estimated parameters such as logP, number of H bond donors, number of H bond acceptors and Phia, which might indicate a compounds suitability as a drug. These parameters are generated using publicly available third party software such as the FDA’s Kowwin, MDL’s QSARIS and Symyx’s Isentris. The biological data stored in the database is EC50, IC50, CC50, SI, testing methods, virus tested, cell line tested, enzyme tested and other data which elucidates the environment in which the data was collected.

This data base does not contain any IIF data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Clinical Research Information Management System of NIAID [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: New Interagency Uses 
1. Date of this Submission: 8/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0099
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Clinical Research Information Management System of NIAID (CRIMSON)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bill Barrick
10. Provide an overview of the system: The Clinical Research Information Management System of the NIAID (CRIMSON) is a Major Application used by the NIAID outpatient clinics in support of their clinical research trials. CRIMSON was developed around a novel model that reduces or eliminates duplicate data entry of research study participant information. CRIMSON combines electronic medical record functionality with clinical trials management functionality into one system. CRIMSON automatically integrates laboratory data from multiple sources, along with entered clinical observation data, into one data repository of clinical research protocol information. Information is then available to investigators for clinical and research usage via standard reports, monitoring reports, ad-hoc queries, statistical analysis, graphical display, etc.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Sharing is limited to medical consultation within the organization. In addition, PII (progress notes and lab data) are shared with the NIH Clinical Center Medical Records Department for patient care and clinical research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The system is an electronic health record. The program will collect patient encounter information including medical histories, examinations, treatment plans, interventions and the outcomes of those interventions. Documentation of family histories and health events may include identifiers of both the individual and family members. Documentation of common contact information (e.g., address, phone number, e-mail address) is required for safety purposes and to maintain continuity of the provider-patient relationship. The system does not collect Social Security numbers. (2) The information is used in the conduct of clinical research, health management, health education of the individual patient or family, and teaching in a professional program of medical education. (3) The information contains PII, including name, date of birth, address, phone number, e-mail address, and medical data. (4) All information submitted by patients is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A number of federal and local agencies oversee and direct this process including the Institutional Review Board for Human Subjects Protection, the Clinical Center Medical Records Department, and the Office of Human Subjects Protections.

(1) When an initiative arises in which historical data or specimens are desired for use in ways not covered by prior consent, the Institutional Review Board reviews and advises on the scope of consent. In many cases the IRB requires re-consent with the patient or requires that program refrain from data or specimen uses not previously consented. (2) Patients in this program undergo a informed consent counseling from no fewer than two separate allied health professionals. Consent is obtained in an interview with a physician and affirmed by the patient in writing. Notification and consent to obtain information and specimens is managed in the Consent to Treat and Consent to Participate in Clinical Study procedures. Patients are extensively counseled on the meaning and implications of both and then affirm their understanding in writing. (3) Patients are notified during the consent process how their information will be used and that it may be shared with health care professionals and research staff.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System access is granted by the Project Officer (COTR) for purposes of conducting health care or clinical research. Allied Health care professionals with direct patient contact and access to the system are credentialed by the appropriate hospital authorities. Other logistical and scientific staff are granted access based on a “least permissions” model appropriate to their role in the care or research process. All persons with access to the system are covered by appropriate nondisclosure agreements, have completed NIH security training, and been instructed in the appropriate management of IIF.

Electronic access to the system is restricted to persons with credentials that include a password and logon. NIH policies apply to password complexity and change frequency. Access lists are reviewed every 6 months to ensure currency. Individual access may be reviewed on an as needed basis. Data travels only over secured NIH networks. Servers are located in secure physical locations certified and accredited for appropriate physical access controls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID DAIT Studies System (DSS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/18/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8534-00-110-249
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID DAIT Studies System (DSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 , croghanj@niaid.nih.gov
10. Provide an overview of the system: This is a management oversight system designed to assist the Division of Allergy, Immunology and Transplantation (DAIT) Project Officers (POs) in managing research projects that include human subjects.

13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information will not be shared. Per SORN 09-25-0036, disclosures may be made for the following uses:
Disclosure may be made to the cognizant audit agency for auditing.
Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Name, Mailing address, telephone number, and email address are the PII that the agency will collect. It will be used for management oversight to assist DAIT Project Officers (POs) who manage research projects that include human subjects.
Submission of the information is voluntary as it is part of the application process, but applications that are submitted without the information could be hindered from processing and could be declined for insufficient information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is provided by individuals who are applying for grants. Participation is at the discretion of the individual who applies for the grant or award. The applicants are informed on the application that the information collected will be used solely for the management of the grants process and will not be shared. There is no process in place to notify individuals in the event of a major change to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.
Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.
Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.
These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS hf: 45-13, and the HHS Automated Information Systems Security Program Handbook.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Employee Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Significant Merging 
1. Date of this Submission: 9/19/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan
10. Provide an overview of the system: EDie is an intranet based application primarily used to manage and track personnel information. Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018, SORN 09-90-0024 and SORN 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the Human Resources Database (HRDB) system; Fellowship Payment System (FPS); nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports requested by the NIH Director, the IC Director, and other management staff, as requested; and e) maintaining lists of non-FTEs, special volunteers, contractors, and other hiring appointments. The type of information collected constitutes PII and includes, but is not limited to the following data elements: name, home address, home phone number, social security number and date of birth. The PII collected is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from the HRDB, FPS, nVision Data Warehouse and NED. Changes to HRDB or changes in the way information is used is relayed to employees via official notices from the NIH Office of Human Resources (OHR). Individuals are notified of the collection and use of the data as part of the hiring process. This is a mandatory requirement of potential job applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: The NIAID system manager(s) authorize access to the system based upon an employee’s official role and job function within the organization in addition to management approval.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP. The NIAID Data Center is restricted by badge access whereby permissions are only provided to limited employees with job functions requiring such access. In addition, entry to the building is controlled via badge access and visitors are required to sign in at the guard’s desk and be escorted around the building.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Facility Management System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: This system does not meet the requirements for a UPI number.
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Facility Management System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan
10. Provide an overview of the system: The Office of Research Operations (ORO) uses the Facility Management System to manage the NIAID space inventory and associated facility assets. It is used to track the office and laboratory space allocations for all NIAID staff, fellows, and contract employees.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information on this system is for internal use only, and is used by the Office of Research Operations (ORO) to plan space and office allocations. Disclosure may be made to a congressional office from the records of an individual in response to an inquiry from the congressional office made at the request of that individual.
Disclosure may be made to representatives of the General Services Administration or the National Archives and Records Administration who are conducting records management inspections under the authority of 44 U.S.C. 2904 and 2906.
Disclosure may be made to agency contractors, experts, consultants, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients are required to maintain Privacy Act safeguards with respect to these records.
Disclosure may be made to respond to a Federal agency's request made in connection with the hiring or retention of an employee, the letting of a contract or issuance of a security clearance, grant, license, or other benefit by the requesting agency, but only to the extent that the information disclosed is relevant and necessary to the requesting agency's decision on the matter.
Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to the proceeding or has any interest in the proceeding, and HHS determines that the records are relevant and necessary to the proceeding and would help in the effective representation of the governmental party.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. This system only contains information on NIAID employees, fellows, and contractors. Information is pulled monthly from NIH NED Public Data and includes:
· NED ID
· Name
· Organization
· E-Mail
· Location - Building, Floor, Room
2. The employee information is used to associate employees with facility space information in order to calculate space utilization, and track vacant underutilized space.
3. The information does contain PII.
4. Submission of employee data to NED is mandatory under federal guidance.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Prospective employees/staff are informed of the privacy act statement upon receipt of official employment forms. The privacy act statement informs prospective employees of the routine purpose for collecting the information that is being requested. The information in the system is based upon official information that is provided as a condition of employment.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is password protected with role based security that provides a separation based on need to know. Only space data managers will have access to information. The system is protected by firewalls, both NIH and NIAID controlled. The server is located within a NIAID facility, protected by guards who require ID badges for entry. The server is further contained in a locked server room that requires special access for entry.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/21/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID iMedRIS
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A - Minor Application
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID iMedRIS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bill Barrick, Clinical Research Program Analyst
10. Provide an overview of the system: Submission and management of documents associated with Institutional Review Board business of the NIAID.
NIAID IRB Submissions (iMedRIS/iRIS) is a commercial software solution intended for use by the NIAID Institutional Review Board (IRB) Office and its customers including IRB members and clinical research Investigators. The purpose of the solution is to manage the online submissions associated with clinical research protocols and the work of those whose responsibility it is to assure human subjects protections.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Clinical research protocols, documents supporting human subjects protections as they relate to clinical research protocols including adverse events that occur during the conduct of such protocols and information items about clinical research protocols and the business of the Institutional Review Board. No IIF is contained in any of the documents.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A -
No IIF in system
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID NIAID Acquisition Management and Budget Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8513-00-405-143
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID Acquisition Management and Budget Information System (AMBIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Croghan, 301.443.8439 , croghanj@niaid.nih.gov
10. Provide an overview of the system: The Acquisition Management Budget Information System (AMBIS) is a Web based acquisition system that effectively and securely allows filing purchase requests that are further processed and entered into the NIH Business System (NBS).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): none
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The information the agency will collect, maintain, or disseminate contains only federal contact data: Name, business mailing address, business telephone number, and business email address; (2) the information collected is an identifier for requesters; (3) The information does not contain PII; and (4) The submission of personal information is mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) AMBIS contains a combination of information about users of the system collected at the time the user (federal employee, contractor, or fellow) is authorized to access the system, and information maintained by each individual user. This includes: i) name, ii) mailing address, iii) telephone number, iv) NED ID and v) email address. The data is contained only in the system and not disseminated. The data is required to authorize a user for access to AMBIS. This information is Federal contact data only. The information does NOT contain PII. Submission of this information is mandatory.

In addition, business contact information including i) name, ii) company telephone number, iii) company address, and iv) company email address is collected for vendor contacts. The data is required to contact the vendor regarding order status. The information does NOT contain PII. Submission of this information is voluntary.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
No IIF
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/22/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH NIAID NIAID Clinical Data Management Suite [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8523-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NIAID NIAID Division of AIDS Enterprise System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Joe Marci
10. Provide an overview of the system: The Enterprise System (ES) is a comprehensive system that supports DAIDS’ business functions, management, and oversight responsibilities. It is exclusively for the use of administrators and research staff, and contains no clinical trials data, which are maintained in other systems not connected to the ES. Its components include:

· SharePoint Portal – a common access point for DAIDS staff inside NIAID; not reachable from outside the NIH firewall.
· Protocol Management – central repository for DAIDS network and non-network protocols.
· Protocol Registration – manages registration of sites on protocols.
· IND Management – Investigational New Drug – tracks and manages IND submissions to the FDA.
· Master Contact – centralized system for contact info for stakeholders engaged in clinical research (.e.g., investigators, collaborators, institutions, labs, agencies, pharmaceutical sponsors, manufacturers). The ES Data Collection Center (EDCC), which is run under a contract managed by DAIDS, gathers publicly available contact information for staff and enters it for professional purposes.
· Expedited Adverse Experience Reporting System (DAERS) – expedited reporting of adverse events in DAIDS sponsored clinical trials. These events are tracked using general information about trials participants, not specifics such as names or traceable IDs.
Clinical Site Monitoring System – official info source for Clinical Site Monitoring activities (e.g., tracking of monitoring schedules, assignment requests, site monitoring reports, & issues identified during site visits).
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The ES requires medical officers to provide CVs. For information about protocol registrations, clinical trials, trial sites, etc., the system relies upon the ES Data Collection Center (EDCC), managed by an external contractor, to provide business contact information for DAIDS administrative staff, such as workplace address, institutional affiliation, workplace e-mail, business phone number and so on. As part of the protocol registration, site management, etc. processes, the EDCC inputs work contact information supplied by individuals, along with other information supplied as part of these business processes.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The information the agency will collect, maintain, or disseminate

Organization: Displays the Organization with which the person is affiliated.
Type: Displays the Organization type associated with the organization name, e.g., Clinical Trials Unit, Clinical Research Site, Pharmacy, etc.
Organization ID: Displays the DAIDS-assigned Organization ID associated with the organization name, for all organization types except Clinical Research Sites.
Site ID: Displays the DAIDS-assigned Site ID associated with the Clinical Research Sites. The Site ID will only display if the Organization Type is Clinical Research Site.
Participant Name: Displays the full name of the person meeting the search criteria. The name appears as an e-mail hyperlink.
Participant Type: Displays the person type associated with the person name, e.g., Federal Personnel, Site Personnel, Network Personnel, etc.
Participant ID: Displays the Participant ID associated with the Person’s name. This is a number assigned by the ES to keep track of the person’s work information and status.
Role (Title): Displays the role of the person at the displayed organization and the title in parentheses.
Address: Displays the business address of the person at the organization.
Contact: Displays the business phone numbers of the person at the displayed organization.

(2) Why and for what purpose the agency will use the information

The Division of AIDS and NIAID collects CVs only in the ES for regulatory purposes.

(3) Explicitly indicate whether the information contains PII.

The PII consists of the contact information which the EDCC may gather from previously self-submitted data.

(4) Whether submission of personal information is voluntary or mandatory

Mandatory. There is no form or field in the ES for anyone to input or adjust their personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) Notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system

Medical officers are responsible for uploading their CVs as part of the regulatory process.

(2) Notify and obtain consent from individuals regarding what PII is being collected from them

Beginning with its next formal release, the ES will include a notice on its Master Contact search results pages. The notice will read: “This system does not solicit Personal Identifiable Information (PII). It is intended strictly for business use. However, if an individual has provided PII on a contact form in the past, and that PII is publicly available, that PII may be reflected in the contact information displayed as a result of a DAIDS-ES search.

(3) How the information will be used or shared

Work information, the CVs will be used to verify the status and credentials of a medical officer.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The ES permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Risk of unauthorized access is, therefore, considered low.

Authorized user access to information is limited to authorized personnel in the performance of their duties. Authorized personnel include system managers and their staffs, and NIH contractors and subcontractors, all of whom are responsible for administering the DAIDS-ES. Physical safeguards: Rooms where data servers are kept are continually monitored. During all hours, rooms are locked and controlled by on-site personnel. Security guards perform random checks on the physical security of the storage locations after duty hours, including weekends and holidays. Procedural and Technical Safeguards: A password is required to access the Portal and all its applications, and a data set name controls the release of data to only authorized users. Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave. New employees and contractors are briefed and the security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. This list is revised as NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of any sensitive information can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply. This CBT can be found at http://irtsectra­ining.nih.gov/. User access may be requested only by personnel authorized by the Executive Officer. Users are not permitted system access until the required system training prerequisites are completed and they demonstrate the competencies required to fulfill their work responsibilities­. Individuals remotely accessing the secured areas of the ES Internet sites have separate accounts and passwords, and all data transmitted between the server and workstations is encrypted.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department's Automated Information System Security Handbook.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Natasha R. Taylor/Margaret Moore
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top