Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

National Institutes of Health Privacy Impact Assessments - Page 6

Back to Privacy Impact Assessments page

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Computer Access to Research on Dietary Supplements (CARDS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/4/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Computer Access to Research on Dietary Supplements (CARDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karen Regan
10. Provide an overview of the system: CARDS is a database of federally funded research projects pertaining to dietary supplements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: CARDS stands for Computer Access to Research on Dietary Supplements. It is a database of federally funded research projects pertaining to dietary supplements. The ODS was directed by the U.S. Congress to "compile a database of scientific research on dietary supplements and individual nutrients" as part of the Dietary Supplement Health and Education Act (DSHEA) which was passed by Congress in 1994. The information in CARDS is useful to the U.S. Congress, agencies of the Federal government, and the NIH Institutes for budgetary considerations. In addition, CARDS will provide useful information for researchers, health care providers, industry and the general public. CARDS contains projects funded by the United States Department of Agriculture (USDA), the Department of Defense (DOD) and the Institutes and Centers (ICs) of the National Institutes of Health (NIH) beginning with fiscal year 1999, the first year that NIH ICs began reporting research related to dietary supplements. Projects funded by other Federal agencies will be added to CARDS as they become available. The data contained in CARDS is downloaded from the Human Nutrition Research and Information Management (HNRIM) system maintained by NIDDK. The data contained in HNRIM is downloaded from the NIH IMPAC database. CARDS includes the following information from IMPAC about each project: sponsoring organization, project identifier numbers, project title, principal investigator, organization name, address, project abstract, fiscal year and start date.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Correspondence Management and Action Tracking System (CATXpress)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 2/8/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: UPI number will be generated after CPIC is submitted
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Correspondence Management and Action Tracking System (CATXpress)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Zanette Childs, IT Team Leader, NIH/OD/OAR
10. Provide an overview of the system: CATXpress is the industry-leading, correspondence management and action tracking system. CATXpress is a 508 compliant, secured; Web based application that provides complete, automated document and record control for the purposes of capturing, storing, retrieving, processing, tracking correspondences such as, recommendations, meeting requests, meeting minutes, comments and other notes. It has electronic signatures and full security controls.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The information being collected, maintained and/or disseminated in the system are names, personal addresses, personal phone numbers and personal email addresses. (2) This information is being used for the purposes of tracking correspondences in the form of hard and electronic copy. (3) The information does contain PII. (4) Submission of this informatino is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A notice is provided at the point of entry into the CATXpress Tracking system informing researchers their PII will be collected when their correspondences are submitted.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative Controls: System Security Plan, files are backed up daily and their are manuals and training guides for users.
Technical Controls: User identification and passwords plus a fire wall. Authorized users will login into the CATXpress using windows networking with multi-level security and access controls.
Physical Controls: The server is in a secured location by OIT.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 2/25/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Delegations of Authority Database (DOA)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/30/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Delegations of Authority Database (DOA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Daniel Hernandez, NIH Delegations Officer, (301) 435-3343
10. Provide an overview of the system: The DOA Database provides authorized members of NIH with the ability to enter delegations of authority for their respective IC; edit data concerning IC-specific delegations they enter, and run reports, by IC, on authorities delegated to NIH officials. In addition, they can delegate redelegable authorities within NIH delegations, to another member of the NIH community authorized to receive the particular authority. A delegation of authority is the formal assignment or commitment of legal power, usually to a subordinate official, to make certain decisions and take certain actions that have legal significance. The OD/OM/Office of Management Assessment has the responsibility to coordinate and maintain NIH Delegations of Authority from the NIH Director to senior NIH officials. No PII is contained within the DOA Database system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The DOA Database will mirror and track NIH and IC-specific delegations of authority. The database allows authorized IC and OD DOA Coordinators and OHR Subject Matter Experts to enter a copy of the actual DOA for which they are responsible and and manage it. The DOAs are not disseminated further than the IC responsible for the maintenance of its DOAs. The database is not used to redelegate authorities and does not contain the official record of the delegations of authority. A delegation of authority is the formal assignment or commitment of legal power, usually to a subordinate official, to make certain decisions and take certain actions that have legal significance. The DOA Database is accessible to NIH employees only, via the OMA Delegations website but does not host its own website. User permissions are assigned on a need-to-know basis, as determined by the IC Executive Officers, OD Office Heads, and the DOA Database System Administrator. The database does not contain any PII. There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Daniel Hernandez, NIH Delegations of Authority Officer, (301) 435-3343
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 7/1/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Director's Document and Records Management System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 5/14/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: None Assigned
6. Other Identifying Number(s): none
7. System Name (Align with system Item name): NIH OD Director's Document and Records Management System (DDRMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ann Brewer, Director, Executive Secretariat, NIH
10. Provide an overview of the system: The system provides the processing, tracking, archiving, search and retrieval of all correspondence and response directed to the NIH Director or Deputy Director; documents include email, hardcopy mail, reports from any source including HHS, congress and the public; records are managed for historical purposes and conform to NARA policies
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Correspondence received may be forwarded to an IC subject matter expert, or Office of the Secretary , HHS for comment, review, drafting a response, or information purposes. Such correspondence might contain PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system tracks correspondence that is received by the Office of the Director of NIH and serves as a repository of electronic records for internal NIH use. All information provided to NIH is voluntary. The system may contain records with the following PII attributes: name, personal mailing address, personal phone number, personal email address, legal documents and an image of the original correspondence. Original correspondence may have subject matter that contains other personal information in the text of the correspondence. The information is not tracked by the system but is retained within the image of the original correspondence.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The PII is voluntarily provided by the sender and there are no processes in place to notify, obtain additional information or further consent after the correspondence has been received. DDRMS does not solicit or collect information for a database. The originator/correspondent voluntarily sends PII in the correspondence they authored to the NIH Director or Deputy Director. DDRMS contains only an image of the document originally submitted. DDRMS does not manipulate the information for another use.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is hosted by CIT where annual security audits are conducted for physical, technical and administrative access. The system web site uses Secure Socket Layer (SSL) and Security Logging is activated. The web user interface provides 128-bit encryption and is PKI-enabled. The system keeps an audit trail of all functional areas. The system, in conjunction with its operating environment, uses identification and authentication measures that allow only authorized users to access the system. The system uses multi-level role-based system access controls that are regularly updated by the business owner and system administrator. Each user is required to log on with their user ID, domain and password. Users have access only to information that is pertinent to their IC. The user screen automatically requires new log in after 30 minutes of inactivity. The database containing the document images is encrypted. Physical records are stored in locked cabinets and deleted documents are shredded. The system provides digital signature capability that uses 2-factor authentication. All records that contain PII are marked in red RESTRICTED.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 6/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Document Delivery System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3304-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): RELAIS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Hope
10. Provide an overview of the system: Relais is a document delivery system that allows library customers to request articles that are not readily available on-line. Relais stores user information that is available publicly in NED and tracks what has been requested.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The organization uses the information to correctly deliver documents to individuals who request them.
The system itself does not collect IIF or disperse IIF to other system. The only IIF that is contained in the system is received from NIH Enterprise Database (NED) through nightly updates. Specifically, they receive:

NIH ID
Name
NIH email
Office Location
Mail Stop
Office Phone Number
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2010
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Document Generation System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 4/23/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: NA
6. Other Identifying Number(s): NA
7. System Name (Align with system Item name): NIH OD Document Generation System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tish Best
10. Provide an overview of the system: The Document Generation System, also referred to as the "Workforms," is a web-based system used to generate contract and solicitation documents. The DGS data base or "workform language" consists of federal, departmental and local mandated acquisition clauses and provisions for various types of contracts and simplified acquisitions using the Uniform Contract Format (UCF). It is used by the NIH acquisition community.

The DGS "Workforms" have become the standard for acquisition offices and are used throughout the NIH. The DGS is a dynamic system and plans to expand workform templates for non-UCF documents can be accommodated in future updates.

The NCI Office of Acquisition (OA) developed the application and has maintained the DGS since it was "rolled out" in 2007 through June, 2010 because the Office of Acquisition Management and Policy (OAMP), Office of Acquisition and Logistics Management (OALM), NIH has not had the necessary funding and staff resources to fully support the system. To fill the gap, NCI OA has made the DGS available to the other NIH Offices of Acquisition. In June, 2010 OAMP, OALM, NIH assumed responsibility for the maintenance of the system "content," while NCI OA continued to take responsibility for the technical support of the system. In September, 2011, OAMP, OALM, NIH assumed total responsibility of the DGS. The DGS is now an NIH sponsored system. The NCI, CBIIT hosts the DGS through an internal funding mechanism between NCI, CBIIT and NIH, OD.

The system has an application which consolidates and creates numerous (17) listings of clauses, called “General Clause Listings” for use in our contract and solicitation documents. These General Clause Listings are published on the NIH OAMP Website as a resource for NIH staff, offerors and contractors. The DGS publishes these listings from the DGS system directly to the NIH OAMP website (http://oamp.od.nih.gov ). This is the extent of the DGS involvement with our website. While it directly publishes information onto the site, it does not host the NIH OAMP Website.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NA
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The DGS collects/uses contract identifiers (PIIDs) from the NBS. In addition, each document generated will contain unique terms and conditions relative to the contract/solicitation being created, e.g. period of performance dates, statement of work, estimated costs & prices.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No IIF is collected
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF Collected
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Erica Lanier
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 6/7/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD DocuShare
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/30/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: no
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): DocuShare
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kelly Fennington
10. Provide an overview of the system: DocuShare is a web-based content management system used by OBA designed to allow users to employ their Web browser to store, view, edit, and share information with other users across the Internet related to some of OBA’s activities. Anyone with access to the DocuShare site can download and upload documents, create, and manage repositories called collections, and create calendars, bulleting boards, and other site objects.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Contained within the docushare system is information pertaining to human gene transfer protocols including information pertaining to institutional review boards. Oba does not collect personal identifiable information, although such information may occasionally be contained within information submitted. If such information is inadvertently submitted, this data is redacted before downloading into the docushare system. Information of this nature, pertaining to institutional review boards, is only reviewed internally within oba and not shared with other individuals.

Information related to specific detail regarding adverse events associated with these protocols are not disseminated to the public or shared with other investigators and do not contain personal identifiable information. This information is collected in accordance with the NIH Guidelines and is used for in-house analysis of individual trials as well as across trials with similar products or methods. There is no information related to IBC members or rosters.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic Government Ordering System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Electronic Government Ordering System (e-GOS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tim Warrington
10. Provide an overview of the system: The e-GOS application is an integrated, Web-based Task Order (TO) processing system that automates NITAAC’s CIO-SP2i Government Wide Acquisition Contract (GWAC). The e-GOS application combines e-Business, Customer Relationship Management (CRM), workflow, and document management to streamline the process of GWAC ordering from concept to closeout, providing interfaces for Government Customers, Commercial Contractors, and NITAAC personnel to collaborate on meeting the procurement needs. e-GOS provides NITAAC, its customers, and commercial contractors the capability to process TOs and manage financial data using the Internet. There is no public access of e-GOS.

The security information used in the initialization and implementation of the e-GOS user profiles needs to be protected to avoid compromising the overall integrity and reputation of the agency’s website.

The privacy data items used are: First Name, Middle Initial, and Last Name as well as organization(government or contractor) email address.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The name of an individual may be shared across agencies for the purpose of contacting that individual with respect to a contract. This might be the CO, COTR, or other federal employee, or a representative of a contractor company who needs to be contacted by the Federal procurement organization.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The system only collects Federal Contract Data in the form of organizational data and work contact information for the organization's representative, such as CO's and COTR's. It also collects contractor data organized by corporation and contact information for the corporation to the extent necessary to make an award to the contractor with the winning proposal. (2) e-GOS is a tool similar to GSA e-BUY and FedBizOpps where solicitations are posted for review, competition, and award by contractors. (3) The PII contained in the information includes only the name of individuals, their place of employment, and work phone, address, and email. (4) Submission of personal information is not required and not desired.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Any major changes in eGOS do not require to obtaining consent from users. No notification procedures are required.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to the system is based on roles. The system will be protected with intrusion detection, intrusion prevention, vulnerability scans and firewalls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic Research Administration [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-04-00-01-4613-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036, 09-25-0168
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Electronic Research Administration (eRA) (FISMA)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: The electronic Research Administration (eRA) program is a component of the Office of Research Information Systems (ORIS) in the NIH Office of Extramural Research (OER), headquartered in Bethesda, Maryland. The eRA systems provide information technology solutions and support for the full life cycle of grants administration functions for the NIH as well as the Agency for Healthcare Research and Quality (AHRQ), Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Veterans Health Administration (VA). eRA systems align with Grants.gov (the one-stop Web portal for finding and applying for federal grants), allowing for full electronic processing of grant applications from application submission through closeout of the grant award. eRA supports two main subsystems: "eRA Internal Applications" (also known as IMPAC II (Information for Management, Planning, Analysis, and Coordination)), used by NIH staff, and "eRA External Applications" (Commons, iEdison), accessed by the grantee community through the Internet. eRA helps DHHS achieve its missions of medical discovery and science management by: 1) electronically capturing, managing, and protecting research grant-related data, 2) reducing administrative overhead, 3) reporting research grant-related data as information to NIH and extramural communities, and 4) enabling the synthesis of the information into knowledge that can guide the management of the NIH research portfolio and improve the Nation’s health.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The eRA program facilitate grants administration support to NIH Institutes and Centers and to DHHS agencies that fund extramural research. eRA acts as the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide.

The SORNs listed in response to question #4 cover the eRA systems as a whole. Refer to the PIAs for the individual eRA systems for details on the information collected by the systems, what the information is used for, whether the information contains PII, and whether submission of personal information is voluntary or mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic TRP Information Management System (eTIMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Electronic Technical Refreshment Proposal Information Management System (eTIMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tim Warrington , Sanjay Panniken
10. Provide an overview of the system: The eTIMS vendor portal will help vendors upload their proposals in the proposed format and view the status of their proposals. It will provide automated data quality checks and provide the result instantaneously to the vendors if any data validation error occurs so that the vendor can perform the corrective action and upload. This portal will enable the vendor to view the current status of their proposal and perform actions based on their proposal status. The external users for this portal will be the vendors on Electronic Commodities Store III (ECS III) contract who will have limited privileges as Vendor roles.

Another web module eTIMS II Support Team Portal which uses the same database will help the support team at National Institute of Health Information Technology Acquisition and Assessment Center (NITAAC) to review the received proposal and approve/disapprove the individual Contract Line Item Numbers (CLINS) under the proposal. Only NITAAC internal users will have access to this application and will perform the role of Support team reviewer, Quality Control (QC), Contracting Officer (CO) and admin roles.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system will have the proposal data which will be submitted by the prime contractors under the ECS III contract. The prime contractors are the approved vendors like DELL, HP etc under the ECS III contract. It will store the list of prime contractors and the users belonging to those prime contractors who will be able to use this system after registration. No personal information is stored except for the name of the user. This system does not store federal contact data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) We do not expect to store any PII information other than the name of the user but in case if that happens in future then proper notifications (emails, published on vendor portal) with reasons to why the data needs to be captured and how it will be used will be transmitted to all the vendor users and get thier consent over it.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: In terms of administrative controls we have security plan in place and the system administrators, Managers and operators are trained and made aware about their responsibilities in securing the privacy of the PII data. User Manual is available which provides role based details on the tasks which can be accomplished using the system. Apart from this methods are in place to ensure least privilege and only provide the required access to individual users.

In terms of technical controls the system requires a username and password to access. The system is secured within the NIH firewall. Furthermore, Intrusion detection system is in place which is monitored regularly to proactively identify any intrusion to the system and thus provide a safe environment.

In terms of physical control only the authorised personals can acces the physical location by using the key cards to enter the location which is monitored using the closed circuit TV.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 11/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Employee Database Internet Edition (EDie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/4/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018, 09-90-0024, 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): n/A
7. System Name (Align with system Item name): NIH OD Employee Database Internet Edition (EDie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Pat Porter or Deepak Mathur
10. Provide an overview of the system: EDie is an intranet based application primarily used to manage and track personnel information. Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is intended for internal administrative use only and will not be shared by other entities. Refer to SORN 09-90-0018, SORN 9-90-0024 and 09-25-0216.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EDie tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from the employees via the Human Resources Database (HRDB) system. Felloship Payment System (FPS), nVision Data Warehouse and NIH Enterprise Directory (NED). Uses consist of the following a) tracka time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service; b) ensuring that allocated FTE ceilings are maintained; c) ensuring salary equity for various hiring mechanisms; d) providing reports requested by the NIH Director, the IC Director, and the other management staff, as requested; and e) maintaing lists of of non-FTEs, special volunteers, contractors, and other hiring appointments. The following PII data elements are collected, amintained or dideminated on the system is name, date of birth, SSN, Personal Mailing Address, Personal Phone Numbers, Personal Email Address, Employment Status, and foreign Activities. The information collected constitues PII and is mandatory for all employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PII in the system is downloaded from the FRDB, FPS, nVision Data Warehouse and NED. Changes to the HRDB or chnages in the way information is used is relayed to employees cia official notices from the NIH Office of Human Resources (OHR). INdividuals are notified of the colection and use of the data as part of the hiring process. This is a mandatory requirement of the potential applicants seeking employment at NIH.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PIPII stored in EDie is accessed by very limited number of administrative staff with a "need-to-know" status. EDie is password protected and sensitive data is encrypted. The system is located in OD location in building 31, room B1E35 for Production servers and building 6705 Rockledge, room 1179 for Test Servers, behind the NIH firewall.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/9/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Enterprise Ethics system (NEES)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4678-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): OGE/GOVT-1 and OGE/GOVT-2
5. OMB Information Collection Approval Number: SF-278 approval form No. 3209-0001 (Public Financial Disclosure Statement), OGE-450 (Confidential Financial Disclosure Report), HHS-520 (Request for Approval of Outside Activity), HHS-521 (Approval Report of Outside Activity), NIH-2854 (Request for Approval to Accept Gifts Associated with an Award From an Outside Organization)
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH OD Ethics NEES (NIH Enterprise Ethics System)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Holli Beckerman-Jaffe/Genia H. Bohrer
10. Provide an overview of the system: The NIH Enterprise Ethics System (NEES) is a secure web-based workflow management and information technology system in support of the NIH Ethics Program that assists NIH staff with meeting the required statutes and regulations governing the ethical behavior of Executive Branch employees of the Federal Government.

The objective of NEES is the comprehensive automation of the NIH Ethics Program that takes into account various business policies and processes at NIH, through the utilization of numerous related applications and data stores. Specifically, NEES will provide the means to:

· Electronically submit all ethics-related reports and requests along with supporting documentation
· Electronically review and approve all ethics-related reports and requests, along with supporting documentation
· Electronically track and report on all ethics-related reports and requests, submissions, reviews, and approvals as well as other related activities associated with the Ethics Program at NIH
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII contained in NEES is shared with users in HHS Office of General Counsel for the purpose of reviewing forms submitted by the senior staff at NIH. This data is also available to two NEES technical staff contractors for the purpose of connecting the NEES production database with the development database.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system collects and maintains personal financial data for designated employees, including assets, income, liabilities, transactions, gifts, outside positions, and financial agreements. All of this information is considered PII, alhough the system does not collect or store any identifying account numbers.. This information is reviewed by NIH Ethics Officials to ensure no actual or apparent Conflict of Interest (COI) exists that would breech the public trust. The reporting of this information is mandatory, required by several different statutes and regulations at various levels of government – Federal, HHS, and NIH.
Section 5301 of Title 5 of the U.S. Code authorizes collection of this information and includes actions to be taken when this information is not provided.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The website publishes release notes to the site to notify users when major changes occur to the system. The website used to collect the data contains a Security and Privacy Notice detailing the authority for collection as well as the purposes and uses of the information.

Consent is not required as reporting of this information is required as a condition of employment and by Federal law.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Access to financial data is limited to 3 people: the filer who enters and submits the data; the Ethics Coordinator assigned to review the data, and the Deputy Ethics Counselor who reviews the data and certifies the form. Only these 3 people have the ability to let anyone else view the data.

Technical: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.

Physical controls: The servers reside in the CIT Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room as well as an IRIS scan.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Genia Hess Bohrer/Holli Beckerman-Jaffe
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Commons
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Commons
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: The eRA Commons is one of the "external" subsystems supported by the Electronic Research Administration (eRA), and is accessed by the grantee community through the Internet. The eRA Commons provides an interface where grant applicants, grantees and federal staff at NIH and grantor agencies can access and share administrative information relating to research grants.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information includes name, date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender (voluntary), mailing address, phone number, e-mail address, citizenship information, education record, and employment status. Commons provides grants administration support to the NIH institutes and centers, and to other Department of Health and Human Services (DHHS) agencies that fund extramural research, and the VA. Submission of PII information is mandatory except where stated otherwise and is used to create the database record for the grant application. Date of birth and gender offer a Do Not Wish to Provide option.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice is given at the time of the original collection. Applicants are notified data is collected when they enter it into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include certification and accreditation, system security plan, contingency plan, system backups, policies, and procedures. Technical controls include user ID and password to access system, as well as firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Electronic Council Book (ECB)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eRA-Electronic Council Book (ECB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA's Electronic Council Book (ECB) is an administrative tool used to provide summary statements, percentiles, priority scores, key identifying information, and supporting documents for grant applications going to council for second level review. ECB is a subsystem of the larger Electronic Research Administration (eRA) information system, which as a whole facilitates grants administration support to NIH institutes and centers and to all DHHS agencies that fund extramural research; eRA acts as the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: eRA's Electronic Council Book (ECB) is an administrative tool used to provide summary statements, percentiles, priority scores, key identifying information, and supporting documents for grant applications going to council for second level review. ECB is a subsystem of the larger Electronic Research Administration (eRA) information system. (1) ECB has the ability to conduct on line reviews of grant applications. This is accomplished via a mechanism called “Early Concurrence." Advisory Council members are assigned to panels created by the various NIH institutes. When members log into the ECB, if they are members of these panels, they have the ability to perform two actions with respect to the applications they have been assigned to review: (a) they can cast votes on line to indicate whether they agree with funding or not funding the application(s) and (b) they may write comments and submit them for the purpose of explaining the rationale behind the votes they have cast. No other information is collected from Council Members. ECB data administrators in each NIH institute have the ability to view this data and create report outputs summarizing both votes and comments. (2) The information is collected for the purpose of conducting expedited council reviews (“early concurrence”) which enables NIH institutes to fund qualifying applications in advance of the regular council review cycle. This expedited review process serves the purposes of distributing workload for grants specialists, reducing workload at actual council meetings and shortening the funding cycle so that research dollars reach applicants more quickly. (3) No PII is collected, processed, or disseminated. ECB only displays grant summary statements, not full grant applications. Only the Principal Investigator’s name is displayed. (4) There is no submission of PII required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Pete Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Information for Management, Planning, Analysis, and Coordination (IMPAC II)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Information for Management, Planning, Analysis, and Coordination (IMPAC II)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: IMPAC II (Information for Management, Planning, Analysis, and Coordination) is one of the two main subsystems supported by the Electronic Research Administration (eRA), which as a whole facilitates grants administration support to NIH Institutes and Centers and to DHHS agencies that fund extramural research. eRA acts as the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide. IMPAC II includes modules and applications for specific business functions as well as cross-cutting modules and query tools and is the main internal subsystem of the eRA program. IMPAC II is used only by authorized NIH staff and authorized users at eRA’s Federal agency partners. IMPAC II provides a suite of electronic tools (modules and applications) to support the four primary phases of grants administration: intake, review, award, and post award management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information includes name, date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender (voluntary), mailing address, phone number, e-mail address, citizenship information, education record, and employment status. IMPAC II is used internally at NIH for the processing of grants and awards. Submission of PII information is mandatory except where stated otherwise and is used to create the database record for the grant application. Date of birth and gender offer a Do Not Wish to Provide option.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice is given at the time of the original collection. Applicants are notified data is collected when they enter it into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include certification and accreditation, system security plan, contingency plan, system backups, policies, and procedures. Technical controls include user ID and password to access system, as well as firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Internal Applications
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA Internal Applications
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA Internal Applications is one of two main subsystems supported by the Electronic Research Administration (eRA), which as a whole facilitates grants administration support to NIH Institutes and Centers and to DHHS agencies that fund extramural research. eRA acts as the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide. eRA Internal Applications include modules and applications for specific business functions as well as cross-cutting modules and query tools and is the main internal component of the eRA program. eRA Internal Applications are used only by authorized NIH staff and authorized users at eRA`s Federal agency partners. eRA Internal Applications provide a suite of electronic tools (modules and applications) to support the four primary phases of grants administration: intake, review, award, and post award management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information includes name, date of birth (voluntary), last 4 digits of the Social Security Number (voluntary), gender (voluntary), mailing address, phone number, e-mail address, citizenship information, education record, and employment status. eRA Internal Applications are used internally at NIH for the processing of grants and awards. Submission of PII information is mandatory except where stated otherwise and is used to create the database record for the grant application. Date of birth and gender offer a Do Not Wish to Provide option. Not all eRA Internal Applications have access to the PII that is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice is given at the time of the original collection. Applicants are notified data is collected when they enter it into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include certification and accreditation, system security plan, contingency plan, system backups, policies, and procedures. Technical controls include user ID and password to access system, as well as firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Query View Report (QVR)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eRA-Query View Report (QVR)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA's QVR is an analytical tool used for ad hoc querying and reporting of grants data. QVR is a subsystem of the larger Electronic Research Administration (eRA) information system, which as a whole facilitates grants administration support to NIH institutes and centers and to DHHS agencies that fund extramural research; eRA provides the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: eRA's QVR is an analytical tool used for ad hoc querying and reporting of grants data. QVR is a subsystem of the larger Electronic Research Administration (eRA) information system. (1) QVR is used to search and view detailed information about grant applications and awards. It integrates information from eRA IMPACII (information on extramural applications and awards), NIH Data Warehouse (database of financial obligations), and NLM’s PUBMed (database of indexed journals, citations, and abstracts). It does not collect any information - it is only a query, view, and reporting tool. (2) QVR provides NIH and its Federal agency partners integrated access to query, view, and report from multiple systems. The system provides a series of reports for most grants management functions, acts as a portal for viewing a variety of research and research training applications and awards from eRA IMPACII, allows access to broader extramural obligation data from the NIH Data warehouse, and provides a link to the publicly available National Science Foundation system for grant awards by that agency. (3) No PII is collected or processed. The only PII that is disseminated is the Principal Investigator's name, address, and personal e-mail. The SORN listed in response to question #4 covers the eRA information system as a whole, and is not meant to imply that QVR in particular collects, processes, or disseminates PII. (4) There is no submission of PII required. QVR is strictly a reporting tool and does not collect any information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) QVR does not collect any PII. The PII that QVR disseminates comes from eRA IMPACII. Individuals whose PII may be displayed via QVR are notified data is collected when they apply for a grant via other eRA subsystems.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include certification and accreditation, system security plan, contingency plan, system backups, policies, and procedures. Technical controls include user ID and password to access system, as well as firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Pete Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD eRA Research, Condition, and Disease Categorization (RCDC)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): eRA-Research, Condition, and Disease Categorization (RCDC)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora
10. Provide an overview of the system: eRA's RCDC is a computerized reporting process NIH uses to sort and report NIH funding in each of 215 historically reported categories of disease, condition, or research. RCDC is a subsystem of the larger Electronic Research Administration (eRA) information system, which as a whole facilitates grants administration support to NIH institutes and centers and to all DHHS agencies that fund extramural research; eRA acts as the infrastructure for conducting interactive electronic transactions for the receipt, review, monitoring, administration and closeout of NIH grant awards to biomedical investigators worldwide.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: eRA's RCDC is a computerized reporting process NIH uses to sort and report NIH funding in each of 215 historically reported categories of disease, condition, or research. RCDC is a subsystem of the larger Electronic Research Administration (eRA) information system. (1) RCDC reports on three types of NIH funding: research grants (extramural research), research and development (R&D) contracts, and research conducted in NIH's own laboratories and clinics (intramural research). (2) RCDC provides NIH and its Federal agency partners a complete list of funded research projects by category, consistent category definitions applied to all projects each year, and a clear and efficient process for categorizing and reporting on NIH funding. NIH reports funding to the public for the 215 categories, but also provides funding data for categories beyond the 215 public categories that are used for NIH internal planning and analysis. (3) No PII is collected, processed, or disseminated. RCDC only displays grant summary statements, not full grant applications. Only the Principal Investigator's name is displayed. (4) There is no submission of PII required.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Pete Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Genetic Modification Clinical Research Information Systems [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/17/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4630-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200 (Clinical, Basic and Population-Based Research Study Records)
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): 009-25-01-26-02-4630-00
7. System Name (Align with system Item name): Genetic Modification Clinical Research Information System (GeMCRIS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kelly Fennington
10. Provide an overview of the system: To enhance the collection, analysis, and application of safety information related to human gene transfer clinical trials.
NIH is a major focal point within the U.S. Department of Health and Human Services (DHHS) for addressing the scientific, ethical, legal, and societal issues raised by advances in biotechnical research. A critical objective in NIH's mission is to gather, evaluate, and disseminate information regarding developments in biomedical research programs. NIH provides the information to the general public, which includes patients and their families, physicians, advocacy groups, researchers, biosafety experts, and industry representatives. NIH is sponsoring several initiatives aimed at enhancing the systematic collection, analysis, and application of safety information from gene therapy clinical trials. One of these initiatives is the Genetic Modification Clinical Research Information System (GeMCRIS). GeMCRIS is a data system developed by the Office of Biotechnology Activities (OBA) in collaboration with the Food and Drug Administration (FDA) to manage information about the conduct of gene transfer clinical trials. A key contribution of GeMCRIS is that it will permit access to information in a form that enhances the types of review and analyses critical for optimizing patient safety, identifying critical information gaps, and facilitating scientific collaboration and progress.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII may be entered into the system by various stakeholders, including investigators, study coordinator, and sponsors. The system will share or disclose PII to NIH and FDA for the purpose of Government data analysis and research-safety surveillance.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) In general, the system has the capability to include PII relating to:
- General Notification Information (e.g. Provider/Physician Name, reporter name , Manufacturer contact name etc)
- Subject Demographic Information (including Patient Identifier, Patient’s age/DOB, gender, race, height, weight)
- Medical and Event Information (including Adverse Event description containing event outcome, symptoms, reactions, diagnosis, lab results, autopsy information, vaccine information, subject medical history, interventions, observations, and may also include attachments of medical records).
(2) The agency will use the information to support Government data analysis and research-safety surveillance
(3) As indicated above, data collected may include PII
(4) The submission of personal information is voluntary
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) Any major changes to the use of PII stored in the system will be communicated to individuals established for providing notices to partipants who are subjects of the research
(2) Individuals consent to participation in the research, so consent is obtained to use that information before the information is entered into the system.
(3) PII (such as DOB, Medical Notes) can only be accessed and viewed by the personnel who are associated with the clinical trials and adverse events.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: GeMCRIS servers are protected by two firewalls: GeMCRIS private firewall and NIH firewall. Only authorized users (whose GeMCRIS access requests have been reviewed and approved by OBA) can access GeMCRIS and their associated adverse event reports. The System Security Plan contains a detailed description of all the physical, technical and administrative controls that are in place.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Kelly Fennington
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Grantee Financial Conflict of Interest System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: 0925-0417
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Grantee Financial Conflict of Interest (FCOI) Notifications Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Turley
10. Provide an overview of the system: The internal OER FCOI Notifications database was initially developed in 2004 to track incoming FCOI report information. These FCOI reports are received from grantee institutions that identify a financial conflict of interest for an individual defined as an “Investigator” under the FCOI regulation. Information from the incoming report, including the Investigator’s name, was manually entered into the database by the Office of Policy for Extramural Research Administration. The internal database was revised in 2007 to include use by NIH IC extramural staff so they could monitor the receipt and review of FCOI reports submitted to NIH. In 2009, NIH developed and implemented an electronic research administration (eRA) Commons FCOI Module for the grantee community’s use to report identified FCOIs to the NIH for grants and/or cooperative agreements. The information submitted through the Commons is transmitted to IC staff through the FCOI Notifications database. NIH made use of the FCOI Notifications database mandatory for NIH IC extramural staff on 3/1/2008 and the eRA Commons FCOI Module was made mandatory for use by grantees on 7/1/2009.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The PII information includes the name of the Investigator with the identified conflict that is shared with the NIH staff to monitor the receipt and review of FCOI reports submitted to the NIH by grant and cooperative agreement applicants and/or award recipients.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The information collected and/or maintained in the FCOI Notifications database will include the following:
Project number
Awarding IC Name;
Grants Management Contact
Date of incoming FCOI report ;
Date of acknowledgement letter sent documenting receipt of FCOI report;
Grantee Institution Name and subrecipient name, if applicable;
Grantee Institution Official‘s name and contact information (not federal contact information);
Name of the Investigator with the conflict;
Name of the entity with which the Investigator has a FCOI;
Name of the financial interest ;
Value of the financial interest;
A description of how the financial interest relates to the NIH-funded research and the basis for the Institution’s determination that the financial interest conflicts with such research;
A description of the key elements of the Institution’s management plan
Any attachments included by the grantee or IC;
Date when the grants management staff notifies the program staff of the incoming report;
Date of any follow-up letter sent to the grantee;
Date when the IC completes its review;
NIH review status (e.g., pending, completed or legacy);
Commons Status (e.g., WIP, Submitted);
FY or Calendar Year FCOI report was submitted.
(2) This information is used by NIH staff to monitor the receipt and review of FCOI reports submitted to the NIH by grant and cooperative agreement applicants and/or award recipients.
(3) The database contains the name of the investigator with the identified conflict. The name of the individual is the only PII data collected.
(4) Mandatory
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1- The information from the FCOI database pulls information from the eRA system of records so this element is not applicable..
2- The Grantee Institution submits the FCOI report information on the behalf of the Investigator with the noted conflict; NIH does not seek consent from individuals themselves.
3- Information within the system is available for viewing by NIH program and grants management staff during the pre award, award, and post award stages to assess information reported by grantee institutions. Information found in the FCOI Notifications database will generally not be shared outside of NIH. However, this information is subject to the Freedom of Information Act (FOIA).
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Direct access to the database is restricted to a few administrative users with associated permissions stored on the server. The database is housed at the NIH Data Center and is protected with general network firewalls as well as application-specific firewalls and Disaster Recovery protection. Technical: This site is subject to CIT security scans and reviews of physical security, and operating practices and procedures. Certification and Accreditation of hosting systems is done in accordance with NIH policies and procedures. Only users with registered credentials on secured servers have direct access to related databases. Physical: The NIH Data Center provides 24-7 physical security of its server room. Only authorized users that pass through CIT security guards have physical access to the server.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/29/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Human Embryonic Stem Cell Registry Application (hESCRegApp)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/7/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Human Embryonic Stem Cell Registry Application (hESCRegApp)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Turley
10. Provide an overview of the system: The hESC Registration Application Database is a web based application that will allow NIH to collect, manage and approve hESC lines.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Approximately 10 reviewers will be able to access PII contributed by respondents. Reviewers will be both NIH personnel and selected individuals working on behalf of NIH.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Individuals submitting data on stem cell lines will be asked for for contact information for the purpose of facilitating NIH review of those lines. Submission of all information is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1) Email addresses and other contact information will be collected from individuals that submit data, this contact information will allow NIH to contact them should changes to how PII is used might be used occur.
2) The website that collects the data on stem cell lines will contain an easily accessible privacy statement regarding collected PII.
3) The website that collects the data on stem cell lines will contain information that notifies respondents that PII will only be shared with reviewers.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls are in place including guards, keycards, and ID badges.

Administrative controls are in place that ensure least privlege for each user group as appropriate. System administrators will have full access, but the general public will only be able to submit and browse survey responses. All system administrators take required training each year to ensure they understand how to secure information systems and PII data properly.

Technical controls are in place to ensure that those with access to sensitive data and systems use industry accepted best practices to secure login credentials. A corporate firewall is in place that only allows web traffic from outside of NIH, all other firewall ports are closed to prevent outside intrusion.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Human Resources Database [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4999-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): Human Resources Database (HRDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Easterday
10. Provide an overview of the system: The data base contains information collected by the Enterprise Human Resources and Payroll System (EHRP) for the purposes of HR reporting. This information includes job-related data as well as PII.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information in these records may be used:
(1) By the Office of Personnel Management, Merit Systems Protection Board (including its Office of the Special Counsel), Equal Employment Opportunity Commission, and the Federal Labor Relations Authority (including the General Counsel of the Authority and the Federal Service Impasses Panel) in carrying out their functions.
(2) In the event an appeal is made outside the Department, records which are relevant may be referred to the appropriate agency charged with rendering a decision on the appeal.
(3) In the event that this system of records indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether federal, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto.
(4) In the event the Department deems it desirable or necessary, in determining whether particular records are required to be disclosed under the Freedom of Information Act, disclosure may be made to the Department of Justice for the purpose of obtaining its advice.
(5) A record from this system of records may be disclosed as a “routine use” to a federal, state or local agency maintaining civil, criminal or other relevant enforcement records or other pertinent records, such as current licenses, if necessary to obtain a record relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant or other benefit. A record from this system of records may be disclosed to a federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision on the matter.
(6) In the event that this system of records indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use to the appropriate agency, whether state or local charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto.
(7) Where federal agencies having the power to subpoena other federal agencies' records, such as the Internal Revenue Service or the Civil Rights Commission, issue a subpoena to the Department for records in this system of records, the Department will make such records available.
(8) Where a contract between a component of the Department and a labor organization recognized under E.O. 11491 or 5 U.S.C. Chapter 71 provides that the agency will disclose personal records relevant to the organization's mission, records in this system of records may be disclosed to such organization.
(9) The Department contemplates that it will contract with a private firm for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. Relevant records will be disclosed to such a contractor. The contractor shall be required to maintain Privacy Act safeguards with respect to such records.
(10) Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressio
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information provided in HR status/informati­onal/metric/performance reports. PIA is mandatory for metric reporting purposes.
HRDB collects data on NIH employees (e.g., action type, employee name, Empl ID, , IC). The agency uses the data to provide performance metrics to HR and NIH management. The collection of minimal personal data is mandatory for reporting.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) HRDB collects minimal personal data, e.g., name, Empl ID, organization, etc. It does rely on SSN, DOBs; therefore, no employee consent is obtained. Emails are sent to supervisors and users and when changes in profiles/account­s occur.
Notices are in the form of electronic emails.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System uses an ID and passwords; passwords are changed every 90 days. Access is based upon roles and on a need to know basis. Users are locked out after a specified time period and number of login attempts.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Information Security and Privacy Awareness Training
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-02-00-02-3112-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): OPM GOVT-1, General Personnel Records
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD Information Security and Privacy Awareness Training
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Captain Cheryl A. Seaman
10. Provide an overview of the system: The NIH security and privacy awareness website contains a variety of courses which pertain to annual information security awareness, privacy awareness, securing remote computers, completing refresher requirements, etc. The security awareness training is mandatory for all NIH employees and contractors within 60 days of employment. All NIH personnel and other persons using IT equipment and information systems, or who access NIH privacy systems of record are required to complete the courses. The system also allows individuals to self-record role-based training. It also allows individuals to accept (agree to adhere to) the NIH IT General Rules of Behavior, and if relevant, the Remote Access User Certification Agreement.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information about the status of training completion may be shared with supervisors for the purpose of reporting non-compliance with the mandatory requirement to complete the training within the specified timeframe.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The training course requires that NIH users log onto the course using their NIH ID Number. Members of the public are not required to provide any PII. Their progress is not tracked but they can receive a certificate of completion.

The tracking system exists to allow recordation of user's training, agreement to follow the NIH IT General Rules of Behavior, and if relevant, agreement to follow remote access requirements. Individual record information is not disseminated. Compliance statistics are reported to HHS and OMB in the aggregate.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Aside from an individual's name and NIH ID number, there is no other PII information in the system. When an NIH employee or contractor logs in with their NIH ID number, this system runs against active NED data to derive the identity of the individual. The individual is then prompted to verify (Yes or No) their identity so they will receive credit for the course.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: From a User's perspective: Any user can log into the website (not the tracking system) and view their Student Record, which provides completion information (including dates modules/courses were completed, i.e., they can see all the information contained in the system relevant to their record). If they have any concerns about the recordation, they can contact the NIH IT Service Desk.

From the Administrator perspective: There are different levels of access depending on the role of the individual accessing the tracking system. These roles include administrator Institute/Center specific access with or without authorization capability, read-only, read-only and authorize capability.

Tracking system users use a password to access the tracking system.

The need for ongoing access to this online tracking system is verified annually. When a person leaves or they are no longer considered to need access, they are made inactive and can no longer access the data.

The type of role assigned to users is derived based on a request by the relevant Institute/Center Information Systems Security Officer and their need for access.

There is a time-out feature for inactivity (15 minutes) requiring the user to log back into the sytem.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 8/12/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Integrated Library System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3304-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0217
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Innopac
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Hope
10. Provide an overview of the system: Innopac is the Integrated Library system that runs the Division of Library Services catalog, their web interface to the DLS catalog, the patron file with public NED information, the acquisitions information for book and journal purchases, and the catalogs for 5 other Libraries.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not normally disclose IIF with other groups. However under particular circumstances, the following reasons can cause information to be released (SOR# 09-25-0217):
Records will be routinely disclosed to the Treasury Department in order to effect payment.
Records may be disclosed to Members of Congress concerning a Federal financial assistance program in order for members to make informed opinions on programs and/or activities impacting on legislative decisions. Also, disclosure may be made to a Member of Congress or to a Congressional staff member in response to an inquiry from the Congressional office made at the written request of the individual.
Disclosure may be made to the Department of Justice for the purpose of obtaining its advice regarding whether particular records are required to be disclosed under the Freedom of Information Act.
A record from this system may be disclosed to a Federal, State or local agency maintaining civil, criminal or other relevant enforcement records or other pertinent records, such as current licenses, if necessary to obtain a record relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract or the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to its decision on the matter.
Where Federal agencies having the power to subpoena other Federal agencies’ records, such as the Internal Revenue Service (IRS) or the Civil Rights Commission, issue a subpoena to the NIH for records in this system of records, the NIH will make such records available, provided however, that in each case, the NIH determines that such disclosure is compatible with the purpose for which the records were collected.
Where a contract between a component of HHS and a labor organization recognized under E.O. 11491 provides that the agency will disclose personal records relevant to the organization’s mission, records in the system of records may be disclosed to such an organization.
A record may be disclosed to the Department of Justice, to a court, or other tribunal, or to another party before such tribunal, when: (1) HHS, or any component thereof; (2) any HHS employee in his or her official capacity; (3) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (4) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to the litigation or has an interest in the litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective representation of the government party, provided however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.
A record about a loan applicant or potential contractor or grantee may be disclosed from the system of records to credit reporting agencies to obtain a credit report in order to assess and verify the person’s ability to repay debts owed to the Federal Government.
When a person applies for a loan under a loan program as to which the OMB has made a determination under I.R.C. 6103(a)(3), a record about his or her application may be disclosed to the Treasury Department to find out whether he or she has a delinquent tax account, or the sole purpose of determining the person’s creditworthiness.
A record from this system may be disclosed to the following entities in order to help collect a debt owed the United States:
a. To another Federal agency so that agency can effect a salary offset;
b. To the Treasury Department or another Federal agency in order to effect an ad
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information system does not collect any IIF from individuals. IIF is contained within the application however, the only IIF that is contained in the system is received from NIH Enterprise Directory (NED) through nightly updates. Specifically, they receive:
NIH ID
Name
NIH email
Office Location
Mail Stop
Office Phone Number
All of this information is public information which can be viewed at ned.nih.gov The information is used to identify the patron list for the Division of Library Services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Contact the official at the address specified under notification procedure above, identify the record, and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2010
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Integrated Time and Attendance System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/1/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4605-00-403-132
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Integrated Time and Attendance System (ITAS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Chung
10. Provide an overview of the system: The Integrated Time and Attendance System (ITAS) is an automated federal timekeeping system developed by the National Institutes of Health. It was modeled after a system developed at the National Science Foundation. ITAS provides a way for employees, timekeepers, administrative officers, and supervisors to record, track, and report time for work hours, leave activities and payroll purposes. Institute personnel such as Timekeepers and Administrative Officers edit the employee profile so it includes accurate time, leave, and tour of duty information. Once employee profiles are established, employees can use the system to record and track their time and attendance. The payroll circle is bi-weekly. Therefore, every two weeks, ITAS system processes are run to compute and accrue leave earned, generate timecards for the upcoming pay period, and produce an output file from the system to be transmitted to the Defense Finance and Accounting Services (DFAS) payroll system via the Department of Health and Human Services(DHHS) payroll interface. Besides NIH, ITAS is also used by the OPDIVs under DHHS, with the exception of Centers for Disease Control (CDC). Authority for the maintenance of the system is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): ITAS shares IIF information with DFAS Payroll System employed by DHHS for the purpose of payroll processing. SOR #: 09-90-0018
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: ITAS contains user’s PII information that is not collected from an individual user. The user’s PIA information such as username and SSN is gathered by HR and is being entered by an Administrative Officer to ITAS for setting up the employee’s profile. The submission of the users’ PII (SSN and username) along with their time and attendance information to DFAS (Payroll System) biweekly is mandatory for employees getting paid.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) ITAS does not collect IIF from individual user. Any major changes in ITAS do not require to obtaining consent from users. No notification procedures are required.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: General users access the system based on their roles. Application administrators are restricted to modifying the configuration options that are specific to application/web servers. Database Administrators have (R/W) access to the SQL database. System administrators are responsible for maintaining the hardware and operating system.
ITAS is integrated with NIH Login, SSO. Passwords expire after a set period of time. Accounts are locked after a set period of inactivity. Minimum length of passwords is seven characters. Passwords must be a combination of uppercase, lowercase, and special characters. Accounts are locked after a set number of incorrect attempts.
The servers are located in the CIT Computer Center. Access to the NIH Computer Center Building 12 complex is controlled. A security guard is stationed at the main entrance of the complex, 24 hours a day, seven days a week. Anyone entering the building must display a valid government ID showing a current identification photo, or register with the security guard to acquire a temporary visitor’s badge. These badges must be worn at all times. All entrance doors to the Building 12 complex, and the machine rooms are controlled by card-activated locks that restrict access 24 hours a day seven days a week.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Pla
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 6/6/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Interagency Edision (iEdison)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0168
5. OMB Information Collection Approval Number: 0925-0001 - Research and Research Training Grant Applications and Related Forms
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH OD eRA-Interagency Edison (iEdison)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: J.P. Kim
10. Provide an overview of the system: Interagency Edison (iEdison) is one of the "external" subsystems supported by the Electronic Research Administration (eRA). iEdison allows government grantees and contractors to report government-funded inventions, patents, and utilization data to the funding agency that made the award, as required by the federal Bayh-Dole Act, its implementing regulations, and any related funding agreement terms and conditions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is only used internally and is controlled via role based access controls.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: iEdison collects information on government-funded inventions, patents, and utilization data that were developed under funding awards from that agency. The information collected is provided for under 37 CFR 401, FAR 52.227-11, FAR 52.227-12, 35 USC 200-212, and for the purpose of tracking, reporting, and compliance activities under those laws and regulations and other pertinent policies, laws and regulations covering these inventions and discoveries.

PII elements such as name, date of birth, Social Security Number, certificates and legal documents, phone numbers, and e-mail address may be uploaded to the system via image files uploaded as grant processing and invention supporting documentation. PII elements are not requested nor in searchable form. The SORN listed in response to question #4 covers invention, patent, and licensing documents as a whole, and is not meant to imply that iEdison in particular collects, processes, or disseminates PII.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No process exists to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice is given at the time of the original collection. Applicants are notified data is collected when they enter it into the system or fill in the paper application.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include certification and accreditation, system security plan, contingency plan, system backups, policies, and procedures. Technical controls include user ID and password to access system, as well as firewalls, VPN, and encryption. Physical Controls include guards, ID badges, key cards, and locked SAS 70 audited server room.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Carla Flora on behalf of Oliver (Pete) Morton
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD IP Track System (IPTRACK)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/8/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): IP Track System (IPTRACK)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Charlie Jones
10. Provide an overview of the system: Database to track IP addresses of computer systems, and locations of the computers, no IIF collected. Only machine names and room numbers are included in the database.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Database to track IP addresses of computer systems, and locations of the computers, no IIF collected. Only machine names and room numbers are included in the database.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD IRT Portal
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 1/31/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD IRT Portal
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christopher Todd
10. Provide an overview of the system: The IRT Portal is a repository for IT security vulnerabilities at NIH. The primary users are the IRT and each individual IC ISSO. The IRT Portal will be used to track security vulnerabilities related to all systems across NIH. The IRT Portal will be able to interface with the HHS CSIRC Database for various datacalls related securtiy vulnerabilities and the status of each incident.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: A scalable, and extendable NIH monitoring and reporting system called IRT Portal. Production IRT Portal modules that will allow the NIH CISO to consolidate compliance monitoring and reporting of:

• Password Policy Waivers
• Encryption Policy Waivers
• Federal Desktop Core Configuration (FDCC) Policy Waivers
• Firewall Exceptions and Waivers
• Intrusion Detection System (IDS) Exceptions and Waivers
• Web Content Filtering Exceptions and Waivers
• Other Information Technology Policy Waivers

The IRT Portal loads data from an array of enterprise systems including nVision, NIH Enterprise Database (NED), Active Drectory (AD), Network Security Section (NSS), AppScan and Teneable Security Consel. The IRT Portal is being extended to enable the NIH CISO to correlate security incident data with other incidents as well as with applicable security policy waivers and exceptions. Additionally, in the near term there will be an incorporation of RiskVision (CSIRC) via a NIH Connector, which support implementation of electronic reporting and exchange of NIH security incidents with HHS. Future intergation with NIH Certification and Accreditation Tool (NCAT) and Security and Privacy Online Reporting Tool (SPORT) data is possible for correlation of incident, waiver data, and Interconnection Security Agreement (ISAs)/Memorandum Of Understanding (MOUs) with NCAT and SPORT data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No PII is collected or stored on the IRT Portal.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 11/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Loan Repayment Programs Website [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-4619-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0165
5. OMB Information Collection Approval Number: OMB No. 0925-0361
6. Other Identifying Number(s): NIH/OER/DLR – LRP System6
7. System Name (Align with system Item name): National Institutes of Health (NIH) Division of Loan Repayment (DLR) - Loan Repayment Program (LRP) System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steve Boehlert
10. Provide an overview of the system: The NIH Loan Repayment Programs (LRPs) are a vital component of our nation's efforts to attract health professionals to careers in clinical, pediatric, health disparity, or contraceptive and infertility research. In exchange for a two-year commitment to a research career, NIH will repay up to $35,000 per year of qualified educational debt, and covers Federal and state taxes that result from these benefits. The NIH LRP Website and Electronic Application System provides a web-based interface for individuals to obtain information, such as eligibility requirements and conditions for participating in the NIH loan repayment programs. The website also provides an electronic application system. Applicants log in to a secure website and provide all required documents, and can view the status of all forms they have submitted, as well as the status of forms submitted on their behalf by their supervisors, recommenders, and institutional officials. The NIH LRP system support the NIH strategic goal to foster highly skilled and diverse workforce focused on research goals. As this investment allows applicants to apply for loan repayment online and submit forms electronically, therefore it supports the E-Gov initiatives. The program manages and complies with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Sallie Mae, AES, Department of Education, to request loan accessing information and Institutional Officials and Non-NIH Scientists.

The LRP system interfaces with IMPAC II (Information for Management, Planning, Analysis and Coordination). IMPAC II is the successor to NIH's original IMPAC information management system. Its firewalls and user access controls ensure the security of confidential grant, contract, and personal data. NIH staff and authorized users from other U.S. Government agencies involved in health research have access to IMPAC II on a need-to-know basis.

The DLR LRP administers the application and disbursement processes for all of the LRPs, which includes information dissemination, conducting the application receipt and referral process, referring qualified applications to the NIH Institutes and Centers (ICs), evaluating educational debt, reviewing basic eligibility, administering individual LRP contracts, establishing repayment
The NIH LRP Website and Electronic Application System provides a web-based interface for individuals to obtain information, such as eligibility requirements and conditions for participating in the NIH loan repayment programs (LRPs). The website also provides an electronic application system. Applicants log in to a secure website and provide all required documents, and can view the status of all forms they have submitted, as well as the status of forms submitted on their behalf by their supervisors, recommenders, and institutional officials. The NIH DLR LRP system support the NIH strategic goal to foster highly skilled and diverse workforce focused on research goals. As this investment allows applicants to apply for loan repayment online and submit forms electronically, therefore it supports the E-Gov initiatives. The NIH System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD." NOTE: We have submitted an update to the SORN – to be renamed NIH Division of Loan Repayment (DLR) Records System

The LRP system interfaces with IMPAC II (Information for Management, Planning, Analysis and Coordination). IMPAC II is the successor to NIH's original IMPAC information management system. Its firewalls and user access controls ensure the security of confidential grant, contract, and personal data. NIH staff and authorized users from other U.S. Government agencies involved in health research have access to IMPAC II on a need-to-know basis.

The NIH DLR administers the application and disbursement processes for all of the LRPs, which includes information dissemination, conducting the application receipt and referral process, referring qualified applications to the NIH Institutes and Centers (ICs), evaluating educational debt, reviewing basic eligibility, administering individual LRP contracts, establishing repayment schedules with lending institutions, and obligating funds. Participating NIH ICs convene panels consisting of non-NIH scientists to review, score, and rank applications. The ICs make funding decisions and notify NIH DLR of the results of these decisions. Staff within the ICs coordinate with the NIH DLR to ensure funds are available and that they are charged to the appropriate CAN. These NIH staff also help guide applicants and participants who have questions about the research component of their applications or about other aspects of the application process, such as the peer review process.

The NIH DLR maintains and complies with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected in the application forms is: name, social security number (SSN), grant number, program application and associated forms, service pay-back obligations, employment data, professional performance and credentialing history of licensed health professionals; personal, professional, and (voluntary) demographic background information; financial data including loan balances, deferment, forbearance, and repayment/delinq­uent/default status information; educational data including academic program; employment status and salary verification (which includes certifications and verifications of continuing participation in qualified research); credit reports; and Federal, State and county tax related information, including copies of tax returns.

LRP awards are competitive. The information collected during the LRP application process is used to make basic eligibility determinations and to provide the scientific reviewers the information necessary to assess the potential of the applicant to pursue a career in research and to measure the quality of the overall environment to prepare the applicant for a research career.

Major changes are posted in the Federal Register and public comment is requested.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes the applicant from qualifying for the program or precludes the participant from receiving benefits of the program.

The information provided is not disclosed without the applicant/partic­ipant's consent to anyone outside of NIH in a manner that identifies the applicant/partic­ipant, except as permitted by the Privacy Act.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A copy of our Privacy Act Notification is posted on our Web site (http://www.lrp.nih.gov/privacy/index.htm ) and is available to all individuals providing IIF. The Privacy Act Notification lists the purposes for collecting the information, as well as the routine uses permitted by the Privacy Act. The system also informs the user when collecting data – during registration - “Note: We collect your Social Security Number [SSN] to verify your identity, to determine your eligibility for loan repayment assistance and to keep track of the federal funds you receive. We also use your SSN for loan repayment and servicing purposes under the Loan Repayment Program. We also use this information to determine whether you are eligible for loan repayment and the amount of that assistance. See Privacy Act information for additional information.”

Major changes are posted in the Federal Register and public comment is requested.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes the applicant from qualifying for the program or precludes the participant from receiving benefits of the program.

The information provided is not disclosed without the applicant/partic­ipant's consent to anyone outside of HHS in a manner that identifies the applicant/partic­ipant, except as permitted by the Privacy Act.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The DLR LRP system permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Access to the LRP system user's records is restricted to authorized users behind the NIH CIT firewall. Risk of unauthorized access is, therefore, considered low. The DLR LRP system is maintained in strict compliance with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."

Authorized user access to information is limited to authorized personnel in the performance of their duties. Authorized personnel include system managers and their staffs, financial, fiscal and records management personnel, legal personnel, computer personnel, and NIH contractors and subcontractors, all of whom are responsible for administering the NIH LRPs.

Physical safeguards: Rooms where records are stored are locked when not in use. During regular business hours, rooms are unlocked but all controlled by on-site personnel. Security guards perform random checks on the physical security of the storage locations after duty hours, including weekends and holidays.

Procedural and Technical Safeguards: A password is required to access the terminal and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. Data on local area network computer files is accessed by keyword known only to authorized personnel. Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave. New employees and contractors are briefed and the security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. Individuals remotely accessing the secured areas of the DLR Internet sites have separate accounts and passwords, and all data transmitted between the server and workstations is encrypted.

NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information processed in the LRP system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply. This CBT can be found at http://irtsectra­ining.nih.gov/. User access may be requested only by personnel authorized by the Executive Officer. Users are not permitted system access until the required system training prerequisites are completed and they demonstrate the competencies required to fulfill their work responsibilities­. Users are certified as having fulfilled the requirements by their Executive Officer or his or her appointed representative who requests access for the user.

It should also be noted that the DLR LRP system runs as a part of the NIH (CIT/OIT) infrastructure, which also supports policy enforcement to validate security requirements and privacy requirements are being satisfied. Incident handling guidelines are detailed in the Office of the Director (OD) standard operating procedures “OD/EO/OIT Standard Operating Procedures for Malicious Code Attacks, Intrusions, and Offensive Emails” (at http://oit.od.ni­h.go­v/pubs/SOP_­ISSO.pdf) and the NIH Incident Handling Guidelines (at http://irm.cit.n­ih.gov/security/­ih_guidelines.ht­ml) are consistent with
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Steve Boehlert
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD My Dietary Supplements (MyDS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 6/21/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Office of Disease Prevention Office of Dietary Supplements - My Dietary Supplements (MyDS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jody Engel, M.A., R.D.
10. Provide an overview of the system: My Dietary Supplements (MyDS) was designed to give consumers a free, convenient mobile record of the dietary supplements they are taking. Consumers can use their mobile device to keep track of the vitamins, minerals, herbs, and other products they take and easily share the information with their health care providers. This mobile application may help decrease the potential for interactions between dietary supplements and prescription medications. MyDS can also provide science-based, reliable information about dietary supplements as well as general information about the NIH Office of Dietary Supplements.
Features
· Create personal dietary supplement profiles for yourself and others;
· Record and store on your mobile device, the name and amount of each dietary supplement you take;
· Add additional information about each dietary supplement in the Notes field;
· Email your dietary supplement profile to yourself, health care providers, pharmacists;
· Add up to two photos of each dietary supplement on your list;
· Protect your information with the option to create a personal password; and,
· Access reliable information about dietary supplements from the Office of Dietary Supplements.
To set up the MyDS application on a mobile device (i.e., iPhone, iPad, etc.), the user will download the application from the Apple iTunes/Application Store, create a username (email address) and personal password to open the application - Download MyDS
In the near future, the user will be able to access an online WebApp version which will run just like a mobile application, but via the Web.

The Office of Dietary Supplements has embedded the website http://www.flurry.com into the MyDS application. It is an analytics application that counts usage data, downloads, and geo-location (e.g., number of people using the device, browser used to download the application, general (continent) location of the user, etc.)

If users have questions about the MyDS application, they can request MyDS support by composing an email with the subject of their inquiry, message and email address and sending it to: http://ods.od.nih.gov/about/mobile/mydssupport.aspx
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): System does not share or disclose PII
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: System collects the individuals email address only and does not use it for any communications. The email address will only be used to authenticate access to the system and to support the "forgot password" functionality. The agency will not use any of the individuals personal data. Submision of an email address is mandatory to use the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The terms of service and the disclaimer to support the application will be available to the individuals. The terms of service and disclaimer will state that ODS does not use the data, nor does it have direct access to it. If any guidance changes the terms of service and disclaimer will be updated.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database server which stores the users email address will only be accessible via the Web server. The data will only be available to the end user after login using the app. The email address will be encrypted on the server, so any unauthorized access would not allow a connection of PII to the individuals data.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NDPA-NIA IT System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: I need to check on UPI Number that is being assigned by OMB
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: NDPA Outcome Evaluation 0925-0606 expires 11/30/2012
6. Other Identifying Number(s): 0925-0606
7. System Name (Align with system Item name): NIH - OD NIH Director's Pioneer Award (NDPA) - R01 Outcome Evaluation/NIH OBSSR portfolio
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stephanie Shipp (571-480-1226)
10. Provide an overview of the system: 10. The purpose of the NDPA outcome evaluation is to determine whether (1) NDPA Awardees are conducting pioneering research with NDPA funds and (2) to assess whether the R01 outcomes are equally pioneering. The data will be kept on a secure password protected computer that is only used for this project.. The second project is to examine the NIH Office of Behavioral and Social Sciences Research (OBSSR) portfolio.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The PII are only seen by STPI employee who is conducting outcome evaluations and portfolio analysis. The PII is needed to contact the awardees and applicants.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Components of the NDPA Outcome-R01 Evaluation include:
Interviews with all NDPA awardees (pioneers) from FY 2006.
Interviews with NDPA interviewees (finalists from FY 2004- 2006.
Assessment of awardee and interviewee outcomes by focus group panels.
Expert review
Analyses of QVR and RCDC data

Components of the NIH OBSSR portfolio analyses include:
Creation of a database of OBSSR grants with associated information for subsequent analysis. The contractor will recode NIH-provided data for FY 2006 to be consistent with NIH-provided data for FYs 2007-2010. The OBSSR-based project director shall guide the contractor’s work to develop and structure the database. PII information will be on the files to conduct bibliometric and other related analyses.
Table #1: Number of NIH PIs (including the investigator and the project) in the Behavioral and Social Sciences, Fiscal Years 2006-2010
Table #2: Distribution of Behavioral and Social Sciences projects by IC, Fiscal Years 2006-2010
Table #3: Percentage of Competing NIH Grant Applications and other Projects Submitted in the area of Behavioral and Social Science and by Applicants in Other Areas That Were Funded, Fiscal Years 2006-2010
Table #4: Amount of NIH Funding for Behavioral and Social Sciences research Grant Recipients and Awardees in Other research areas, by Type of Application and Fiscal Years, 2006-2010
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) For the NDPA -R01 Outcome Evaluation and NIH OBSSR Portfolio Analyses:
1) The NDPA-R01 Outcome Evaluation expert protocols, will contain the following general assurance of confidentiality: “…Your responses will be kept strictly confidential: If you choose to participate, respondent confidentiality will be protected to the extent provided by law, and STPI will report only aggregate information concerning overall impressions of the process to the NIH.”
2) Data used from QVR and RCDC will only be reported in aggregate format
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: In order to ensure data security, all employees of the Science and Technology Policy Institute, are required to adhere to strict standards and sign a non-disclosure agreement as a condition of employment. The Science and Technology Policy Institute has extensive experience collecting information and maintaining its confidentiality and security. STPI accesses QVR and RCDC remotely though a NIH VPN protocol . Our offices are accessed only by STPI employees who must have an ID that is wanded for entry. Our building has a full-time guard who only allows entry to employees and guests with an escort.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Business System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/25/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-4601-24-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0217
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH Business System (NBS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan
10. Provide an overview of the system: The overall objective of the NBS is to enable administrative/scientific support that is cost effective, provides more accurate and timely information, modernizes hardware and software components, and facilitates the scientific mission of the NIH. The scope of the NBS includes seven business or "functional" areas currently included in the ADB: Financial Management Property Management Accounts Payable (Commercial Accounts) Acquisition Service and Supply Funds Operations Supply Management Travel Management. Legal authority for maintenance of the NBS may be found in 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Since NBS is an enterprise financial system, there are many use cases where records containing PII will be shared or disclosed with persons or entities. For example, records will be routinely disclosed to the Treasury Department in order to effect payment, and records may be disclosed to Members of Congress concerning a Federal financial assistance program in order for members to make informed opinions on programs and/or activities impacting on legislative decisions. The Privacy Act System of Records Notice (SORN) 09-25-0217 provides a listing of whom the PII may be shared and for what purpose. The language in the SORN is succinct with regard to whom records are shared and the purpose.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Name, Social Security Number (SSN) or EIN/TID, address, email address, phone number, purpose of payment or request for payment, bank account and routing numbers, accounting classification and the amount paid or billed. Also, in the event of an overpayment and for outstanding charges, fees, loans, grants, or scholarships, the amount of the indebtedness, the repayment status and the amount to be collected. In the event of an administrative wage garnishment, information about the debtor's employment status and disposable pay available for withholding will be maintained. The IIF contained in the system is mandatory to fulfill the requirements of the system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) If major changes occur to the system a Systems of Records (SOR) will be filed as appropriate.

NOTIFICATION PROCEDURE:
To determine if a record exists, individuals may write to the System Manager listed in SOR 09-25-0217. A written request must contain the name, address and social security number of the requestor and his or her signature that either is notarized to verify his or her identity or contain a written certification that the requestor is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a five thousand dollar fine.

RECORD ACCESS PROCEDURE:
Same as notification procedures. Requestors should also specify the record contents being sought. Individuals may also request an accounting of disclosures of their records, if any.

CONTESTING RECORD PROCEDURE:
Contact the official at the address specified under notification procedure in the SOR identified above, identify the record, and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

All notices will be published in accordance with the Privacy Act System Notices - Systems of Records (SORs) at NIH as required.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The NBS will conform to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to the Privacy Act of 1974, Computer Security Act of 1987, Paperwork Reduction Act of 1995, Clinger-Cohen Act of 1996, and the Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Resources." The IIF will be secured in accordance with Privacy Act System of Record 09-25-0217, entitled "NIH Business System (NBS), HHS/NIH."
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sean Hagan, NBS ISSO
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Enterprise Architecture Repository (NEAR)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Enterprise Architecture Repository
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steven Thornton
10. Provide an overview of the system: The NIH EA Repository addresses the need for access to pertinent information in order to make better informed decisions. Specifically, the EA Repository contains information about IT systems and their relationship to NIH Business Processes, Data, Services and other EA Artifacts. This information, which is often tracked in disparate systems, is consolidated in the EA Repository in a way which provides a high level overview of how resources relate are how they are being used within the organization. With this information, ICs can assess effectiveness of their investments, identify duplication and find systems and services for reuse. Furthermore, the EA Repository provides a mechanism by which to quickly identify impacts of a variety of different elements such as policy changes impacting systems, and system retirements.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1. The sysem collects employee name, employee business phone number, and employee business email address (federal contact data).
2. We collect this information to have a business point of contact for managers of NIH information systems.
3. The information is not considered PII, because it is federal employee business contact information.
4. The information is currently in an optional field but will be updated to a mandatory feed.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A – No PII collected, maintained or disseminated in the system
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Enterprise Architecture Website
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD NIH Enterprise Architecture Website
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steven Thornton
10. Provide an overview of the system: The NIH EA website is the authoritative source for NIH’s enterprise architecture principles, standards, best practices, business process models, data models, integration standards, and other types of enterprise level specifications and communications.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NIH EA website collects name, email address, title (optional), organization (optional), and phone number (optional) via a Contact Us form to enable the NIH EA team to answer questions from the public about the NIH EA program or website.

The NIH EA website also collects the NIH.gov email address for NIH employees and contractors ONLY who wish to subscribe to receive alerts – based on their subscription preferences – when content changes on the website. This information is then available to the NIH EA website administrators, who can unsubscribe users manually, if necessary. These subscribers may also unsubscribe themselves at anytime.

The NIH EA website also collects the email address for users who wish to share NIH EA content links with other users and those users’ email addresses. This information is not stored.

The NIH EA website uses WebTrends and Google Analytics for analytics. This CIT managed service and Google Analytics collect referring domains for users who navigate to the NIH EA website in support of the NIH EA team’s site analytics effort.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The NIH Enterprise Architecture website discloses its use of PII via the site’s Privacy Statement: http://enterprisearchitecture.nih.gov/About/About/Privacy.htm and via its P3P machine readable policy. The current privacy statement - which is being updated to include references to Google Analytics and AddThis share widget states:

Of the information we learn about you from your visit to the NIH Enterprise Architecture website, we store only the following: The domain name from which you access the Internet
The date and time you access our site, The Internet address of the website from which you direct-linked to our site. This information is used to measure the number of visitors to the various sections of our site and to help us make our site more useful to visitors. Unless it is specifically stated otherwise, no additional information will be collected about you. When inquiries are emailed to us, we store the question and the email address information so that we can respond electronically. Unless otherwise required by statute, we do not identify publicly who sends questions or comments to our website. We will not obtain information that will allow us to identify you personally when you visit our site, unless you chose to provide such information to us. Questions about NIH privacy policies should be sent to the NIH Privacy Act Officer at NIHPrivacyActOfficer@od.nih.gov.

The new privacy policy will include the following language:

Group "Website Measurement"

At the user's option, we will collect the following data:
URI of requested resource
Request timestamp
User's interaction with a page or resource
Search terms
Client's IP address or hostname
Data bytes in response
Response status code
Client's Browser Type
Client's Operating System
Client's Platform Type
HTTP cookies
This data will be used for the following purposes:
Anonymous user analysis. The user is allowed to opt-out of this usage.
This data will be used by ourselves and our agents. In addition, the following types of entities will receive this information:
Unrelated third parties. The user is allowed to opt-out of this data sharing.
The data in this group has been marked as non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from.
The following explanation is provided for why this data is collected:
enterprisearchitecture.nih.gov uses Webtrends and Google Analytics measurement software to collect the information described in the bulleted list above. Webtrends and Google Analytics collect information automatically and continuously. No personally identifiable information is collected. The NIH staff conducts analyses and reports on the aggregated data from Webtrends and Google Analytics. The reports are only available to enterprisearchitecture.nih.gov managers, members of the NIH Office of the Chief Information Officer (OCIO), and other designated staff who require this information to perform their duties.
Group "Cookies"
At the user's option, we will collect the following data:
HTTP cookies
This data will be used for the following purposes:
Anonymous user analysis. The user is allowed to opt-out of this usage.
This data will be used by ourselves and our agents. In addition, the following types of entities will receive this information:
Unrelated third parties. The user is allowed to opt-out of this data sharing.
The data in this group has been marked as non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from.
The following explanation is provided for why this data is collected:
The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies. When you visit any Web site, its server may generate a piece of text known as a "cookie"
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Because the only PII that is stored are the nih.gov email address of employees and contractors who subscribe to be notified of changes, there are no security controls required to protect it. This feature is not available to public users. A much larger set of the same information can be found publically on ned.nih.gov. Nevertheless, the information is protected, such that only site managers can access it using NIH Login, and by being assigned to the site manager security group. The information sits within the NIH firewall. Only the system owner can grant permission for someone to be added to this security group. Upon her request, the SharePoint administrators grant this permission in the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Helen Schmitz
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Integrated Training System II (NIHITS II)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-­4610-00-403-224
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH Integrated Training System II (NIHITS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kimberly Hill
10. Provide an overview of the system: The NIH Integrated Training System II (NIHITS II) is a Web-based training nomination system used at the National Institutes of Health (NIH). NIHITS II allows for the creation, approval and tracking of employee training nominations.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Business System (NBS) for purposes of funds obligation for training nominations. SOR# 09-25-0216
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The NIHITS system will collect IIF through the Name (First, Last, Middle Initial) of employees within NIH, as well as contractors and other assignments as deemed appropriate by IC authorities at NIH. NIHITS will also collect SSNs for NIH employees, contractors, and other assignments as deemed appropriate. The information collected is required to be able to procure and track training for employees.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The NIHITS system imports Name and SSN information from the NIH Employee Database for purposes of updating list of employees and keeping information up-to-date. Users are notified by email when changes are to occur in the system. Employees don't get directly notified when collecting information from HRDB because they should have been notified when the information was collected in HRDB.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF date is secured by using user identifiers, passwords, firewalls, IDS, backups, ID badges and physical security (guards) in location. Users are restricted to viewing only the data needed to fulfill their duties.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Plá
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Intramural Database [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/8/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4615-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH Intramural DataBase (NIDB)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dale Graham
10. Provide an overview of the system: The NIH Intramural DataBase (NIDB) system collects data relating to oversight and evaluation of the NIH's Intramural Research Program. These data include names of researchers involved in particular projects and the publications they author, as well as which NIH organizations they are affiliated with. In addition, the names and organizational affiliations of extramural collaborators are also collected. For NIH researchers, the NIDB collects NIH email addresses and other data relating to their research position (e.g., their Intramural Professional Designation). All data collected directly relates to the NIH intramural research process. We collect no unique personal information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Searches of Annual Reports show names of the people participating in the research. NIH contact information is passed to PubMed Central via webservices and to NEES via a database view.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: NIDB collects names, advanced degrees and NIH email addresses for NIH researchers. It also collects from NIH researchers the names and organizational affiliations of non-NIH researchers with whom they collaborate. No personal information (other than names) are collected. Most names for NIH staff are now collected directly from the NIH Enterprise Directory, rather than being entered by NIH staff. These data are used for oversight and evaluation of the NIH Intramural Research Program. The Annual Reports (after approval by Lab/Branch Chiefs and Scientific Directors) is available for searching by members of the public. This contains names, degrees, organizational affiliations for those shown as collaborating on the Reports. There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not applicable to NIDB. However, NIDB downloads data from NED. Changes to this system and their process notifications are outside of NIDB’s scope. What NED indicates is as follows: The following notice is displayed to users following authentication to NED.

"Collection of this information is authorized under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102 and Executive Order 9397. The primary use of this information is to establish a centrally coordinated electronic directory to conduct administrative business processes at the National Institutes of Health. Information from this system may be disclosed to personnel with a valid need for access to the information in order to conduct agency business. To the extent that they are relevant and necessary, additional disclosures of the information may be made for the following purposes: to contractors or consultants engaged by the agency to assist in the performance of a service; to respond to another Federal agency’s request made in connection with the hiring, clearance or retention of an employee or letting of a contract; or to the Department of Justice, or to a court or other adjudicative body for litigation. Failure to provide all or part of the information requested may limit your ability to perform official duties, impact your ability to qualify for an NIH contract or limit your access to NIH services and facilities."

There are no other processes currently in place to obtain additional consent from the individual whose IIF is stored in NED regarding what IIF is being collected for them or how the information will be used or shared. There are also no processes in place at this time to obtain consent from the individuals whose IIF is in the system when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NIDB collects names (public record), and NIH contact information (also public record) via NED. NIDB has access solely to NED's public view and therefore has no access to anything other than that. NIDB also collects information about advanced degrees (when granted, where). Contact information and when and where degrees are granted are NOT made public. This is utilized within the NIH only. Access to NIDB data requires authorization by role for any of this information.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Security Authorization Tool [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/11/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Certification & Accreditation Tool (NCAT)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathleen Coupe
10. Provide an overview of the system: NIH Certification and Accreditation Tool (NCAT) is a COTS product that tracks FISMA information for NIH systems and also collects the necessary
data to develop and maintain Certification and Accrediation documentation and POA&M data. It is hosted on the NIH Data Center and covered by the Data Center C&A except for those controls which are application specific. The program also gives Management an overview of the security status at NIH via the reporting
tools.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Trusted Agent does not collect, maintain or disseminate IIF. It contains security control information for NIH systems per FISMA requirements. This include C&A dates, FIPS 199 categorizations, security control implementation. etc., that are used to evaluate system security status. There is no submission of personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF is not collected.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is collected on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OCIO IRT Lab [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OCIO IRT Lab
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christopher Todd
10. Provide an overview of the system: The system is a General Support System (GSS) and does not directly collect or store information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system is a General Support System (GSS) and does not directly collect or store information. The applications/systems residing on the GSS collect and store information. Therefore, individual PIAs have been prepared and submitted for the applications/systems residing on this GSS.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/29/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OD Static Websites [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 8/5/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): n/a
5. OMB Information Collection Approval Number: n/a
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): NIH OD Static Websites
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Minh Chau, Steve Olsen
10. Provide an overview of the system: This is a "blanket" PIA for all low-security static websites hosted by OIT
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) The systems covered by this PIA will not collect any information. The only information disseminated by these systems is limited to federal contact data for the programs and offices to which the sites pertain.
2) No PI information is to be collected by these sites. Any sites which collect PII will be covered by their own PIA and will not fall under the scope of this PIA
3) “Information disseminated does not constitute PII (federal contact data only)”
4) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) n/a
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: n/a
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 1/20/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OD General Support System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/8/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): General Support System (GSS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Antoine Jones
10. Provide an overview of the system: Office of Information Technology LAN
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): none
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: There is no informatoin collected, maintained, or disseminated from this system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OER Protecting Human Research Participants Training Courses (PHRP and PPHI)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 11/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD OER Protecting Human Research Participants Training Course (PHRP and PPHI)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Maria Stagnitto
10. Provide an overview of the system: The training course is for NIH extramural grantees, Associate Investigators and other key research personnel. NIH requires these individuals to take a training course on protecting human research participants but they are not limited to this program, i.e. other training courses are available outside of NIH. This system captures limited information that is only used should it be necessary to verify that an individual has completed the (Human Subjects) training via this course.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The infomation is only used internally and is controlled via role based access controls
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1)The name of the individual, their presumed business e-mail address, state and country of residency is required (2) this information is used to create the database of record for participant verification in this method of training (3) The information requested is intended to only collect business-related information as proof of participation for this method of training (4) PII is voluntary because business-related information is anticipated since the information is related to NIH grants involving the use of human subject research. On February 29, 2008 the Office of Extramural Research published in the Guide to Grants and Contract a Notice (NOT-OD-08-054) regarding the on-line tutorial Protecting Human Research Participants. It states "It satisfies the NIH human subjects training requirement for obtaining NIH awards, but it is not the only way to satisfy this requirement. Information on satisfying the requirement and answer to commonly asked questions about the education requirement may be found on OER's FAQs on the Requirement for educa5tion on the Protection of Human Subjects http://grants.nih.gov/grants/policy/hs_educ_faq.htm)."
Additionally OER has a Privacy Notice published at its website http://grants.nih.gov/grants/privacy.htm

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) On February 29, 2008 the Office of Extramural Research published in the Guide to Grants and Contract a Notice (NOT-OD-08-054) regarding the on-line tutorial Protecting Human Research Participants. It states "It satisfies the NIH human subjects training requirement for obtaining NIH awards, but it is not the only way to satisfy this requirement. Information on satisfying the requirement and answer to commonly asked questions about the education requirement may be found on OER's FAQs on the Requirement for education on the Protection of Human Subjects At the registration site the following statement is provided: "The collection, maintenance and use of the personal information you submit via this website is protected under provisions of the Privacy Act of 1974. As such, all personally identifiable information you provide shall be treated as confidential, shall be used only for the purposes for which it was intended and shall be protected from unauthorized disclosure to the full extent permitted by the Act."
(2) Registration form is limited to name and e-mail (presumed business-related) state and Country
(3) The information is requested only to validate participation in this method of training and is not share beyond the need to validate this training.

OER has a Privacy Notice published at its website http://grants.nih.gov/grants/privacy.htm
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is password protected, and access is limited to role based access controls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Margaret Snyder
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/24/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OOCCR OMTrends Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 10/31/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD OOCCR OMTrends Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lisa Witzler
10. Provide an overview of the system: OMTrends is a secure, encrypted database used by the Office of the Ombudsman, Center for Cooperative Resolution to record, track, analyze and report conflict management and resolution of workplace issues, as well as non-identifiable demographics of constituents who use the office, and other important, non-confidential information. It is a customized, password-protected Microsoft Access Database hosted on a NIH/OD server.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) We collect the quarter of the year the case is opened (January to March; April to June; July to September; October to December), the current position of the employee, how the employee was referred to the office, bargaining unit status, Institute/Center, and a range (in 5 year increments) of how long they have been at NIH, the general issues that are presented (i.e. communication, performance), the ombudsman activity (i.e. coaching, mediation, referral), where we refer an employee if applicable (i.e. Employee Assistance Program, Employee Relations, OEODM). We are occasionally contacted by non-NIH employees and thus collect this information as well.

(2) We collect this information for the purposes of providing a service to further scientific research through efficient, effective, and innovative conflict management and resolution methods; improve the work environment, preserve workplace relationships and enhance the quality of work.

(3) There is no PII collected.

(4) Usage of the OD/CCR services is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 11/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD OSE LifeWorks E-mentoring
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data 
1. Date of this Submission: 3/28/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No; included in existing mentoring project by OBSSR
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: 0925-0475
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): LifeWorks E-mentoring
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lisa Strauss, Raymond Liu
10. Provide an overview of the system: LifeWorks E-mentoring is an NIH e-mentoring program that extends existing efforts by the NIH Office of Behavioral and Social Science Research (OBSSR) to provide high school students with information about careers in biomedical research, behavioral research, social science research, and healthcare-related fields. Development and maintenance of the supporting database is administered by the NIH Office of Science Education in partnership with OBSSR. High school students age 16 and older are linked via email to e-mentors who provide them with relevant information, guidance and support. E-mentoring takes place via the Internet.
Mentor Registration--Mentors complete the registration and Conditions of Service agreement online. Failure to abide by the terms results in removal from the program. Mentor registration involves multiple background checks including, the U.S. Department of Justice Dru Sjodin National Sex Offender Public Web site (http://www.nsopr.gov/) and a personal reference check.
Student Registration--The parent/guardian and student must complete the registration form online. Failure to abide by these terms will result in student removal from the LifeWorks E-mentoring program.

Security--All student and mentor communications take place behind a firewall and are password protected on a server that is managed by the NIH Center for Information Technology.

Privacy and Internet Safety--Participants are instructed that all communications between mentors and students are restricted to online tool. No contact between students and mentors is allowed outside of the online tool. To minimize alternative communication channels, email addresses are automatically deleted from messages.

Training--To promote safe internet practices, mentors and students receive separate guidelines that provide information and Web site links about internet safety and e-mentoring rules.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Personal information collected by LifeWorks E-Mentoring will be shared with NIH administrator at the Office of Science Education, and with IT support administrators of same, to archive in database for the direct purpose of matching protegees with mentors. This information will not be shared with third parties unless specifically authorized by legal authorities under existing statutes. IF data will be retained on the system for the projected life cycle (12 months) of proposed activity (e-mentoring). These files will be deleted from the database upon direct request
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: LifeWorks E-mentoring is a free e-mentoring program that helps high school and college students who are interested in behavioral and social science, biomedical science, dental, and healthcare careers find a mentor. Mentors are carefully screened science, healthcare, and education professionals who volunteer to provide information, guidance, and support as students develop their careers. Internet-based communication occurs between high school students and pre-screened postdoctoral fellows, scientists and healthcare personnel who are determined to be well-suited to serve as e-mentors. Submission of all PII is strictly voluntary; however, in order to participate in the LifeWorks E-mentoring program, users must provide PII in response to questions. NIH Office of Science Education administrators assigned to manage LifeWorks E-mentoring will have access to all PII collected.

The form we use to collect student and parent/guardian information is: https://science.education.nih.gov/LifeWorksEmentoring.nsf/Student%20Registration?OpenForm

Required student information includes: first name, last name, school grade, school name, email address, home address, city, state, zip code, phone number, age and gender.

Required parent/guardian information includes: first name and last name.

The form we use to collect mentor information is:
https://science.education.nih.gov/LifeWorksEmentoring.nsf/Mentor%20Registration?OpenForm

Required mentor information includes: first name, last name, title, degree/grade, employer/school, email address, work address, city, state, zip code, phone number, profession and gender.

Required mentor reference information includes: first name, last name, job title, employer/school, phone number and email address.

The data is kept in our Domino database system.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) LifeWorks E-mentoring participants will be notified by regular mail or electronic communication of any changes to the system that are covered by provisions of the privacy act. Consent for collecting and releasing PII that fall outside the scope of the original notice will be made through similar channels.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to the LifeWorks E-mentoring users database will be restricted to the designated NIH administrators at OSE. Unauthorized access will be restricted as indicated below.

There will be two completely different databases to this application. The first database will be available to the general public. It is where general information about the program is available. It is also where individuals can go to register as participants. The other database is where the actual communication resides. It will only be available to eligible participants. This is security at the database level.

Individuals will be required to complete an application, by which they will be given access authority. This is the point at which matches will occur. When a match is formed, mentor and student will be provided ID and password access to the second database. This is security by ID and password authentication.

Although all participants will have access to a common communication database, each person will only have access to his/her own relevant documents. Each document will have limited access characteristics that (a) limit readability to mentor, student and NIH administration, (b) prohibit modification after it is created, and (c) internally/invisibly track who created the document.

In adfdition, all e-communication is firewalled and password protected on a server that is managed by the NIH Center for Information Technology.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 4/1/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD PastPerfect Online
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/3/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD PastPerfect Online Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Harkins
10. Provide an overview of the system: PastPerfect online database contains museum object collection records, photograph collection records and archival material that is in the public domain. These records are accessed by collection name and the information retrieved is description, date of creation, title of collection, number of images. Archival collections will have scope and content information of the collection, dates, number of boxes and folders.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The PastPerfect system collections historical and archival information from the NIH community, speficially, microscopes used in research, photographs of buildings, events and NIH directors (federal employees).
(2) The purpose of this collection is to preserve the visual and physical history of science at the NIH. These materials are used for historical research only.
(3) Information contains no PII
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) Consent is not necessary as there is no PII in the PastPerfect database
(2) Government employees have used these government objects and photographs and donated them to the History Office. PII is not collected from the individuals when the items are cataloged.
(3) The information is shared by users searching the PastPerfect database
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The administrator, Barbara Harkins, creates and manages all of the data that is placed in the database. Harkins provides the passwords to individuals using the system (two other individuals, both employees of the Office of History), performs the backups and the software company, PastPerfect Software, performs regular security checks, back-ups and technical support.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Barbara Harkins
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/2/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Project Performance Monitoring System (PPMS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4694-00-301-092
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): None
5. OMB Information Collection Approval Number: None
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): NIH Program Performance Monitoring System (PPMS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rosanna Ng
10. Provide an overview of the system: The NIH Program Performance Monitoring System (PPMS) is a web-enabled centralized secure reporting system used for gathering, managing, analyzing and disseminating program performance and budget data. The system consist of two (2) major components, the NIH Performance Webpage (http://nihperformance.nih.gov) and an online budget and performance reporting system known as Visual Performance Suite (VPS). The Website component of PPMS links to VPS, historic reports, and relevant performance reporting resources. The VPS component of PPMS provides a web-enabled centralized performance reporting database used to collect, store, and report budget and performance data to support NIH’s compliance with the Government Performance and Results Act (GPRA) and related NIH-level performance reporting. The PPMS system was deployed to the development server and went “Live” in July 2007.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not applicable
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The VPS component of PPMS provides a web-enabled centralized performance reporting database used to collect, store, and report budget and performance data to assist NIH in meeting the requirements of the Government Performance and Results Act (GPRA) and related NIH-level performance reporting. The system does not contain PII. There is no need to submit personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Not applicable. The system does not collect, maintain, or disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not applicable. System does not collect, maintain, or transmit PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Roanna Ng
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Purchase Card System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/4/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0216
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Purchase Card System (PCS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Vanessa Palacios (primary), Michelle Foster (backup)
10. Provide an overview of the system: The Purchase Card System tracks NIH employee Purchase Card information. The PCS application will provide authorized staff members of the Purchase Card Program Office with the ability to view, edit, track, and add NIH cardholder/card approval official (CAO) purchase card information. Information includes names, work addresses, work phone numbers, work email addresses, GS Level, employee title, NED ID Number, cardholder/CAO purchase card account, and purchase card training/HHS required purchasing training completion dates.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose the NED ID Number (PII) to others or other systems (the system does not connect to other systems). Only the Purchase Card Program Office has access to the system.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system maintains card user’s identification information that is related to their account. The information is used to identify cardholders and manage cardholders' account.

1. The Purchase Card System (PCS) is a collection of administrative information of Cardholders(CH)/Card Approving Officials (CAO) held within a website for ease of use for the Purchase Card Office. Information collected includes: Purchase Card Account Information (specifically name of CH/CAO, single/monthly purchase limit of that individual, and purchase card account number), NED ID Number, the dates of purchase card required training as well as when the person has to retake training, and work contact information (work address and work phone/fax number). All information collected is work related.

2. The purpose of such information is so the office knows which accounts are active/inactive, which has been cancelled and when. It also lets the office know which individuals are up for annual refresher training. In essence, this system acts as an electronic file folder of individuals that have or had government issued purchase cards.

3. The NED ID Number is PII and therefore the website contains PII.

4. The submission of the NED ID (PII) is mandatory.

5. Only federal employee information is collected.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. No major changes has occurred in the system since it is internal use only to the NIH Purchase Card Program Office.

2. The NED ID Number is a required field in the purchase cardholder/CAO application form.

3. The NED ID Number is not shared (disclosed) outside of the NIH Purchase Card Program Office. Consent of the NED ID Number is given via the purchase cardholder/CAO application form.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to information is role based. The PCS application is monitored with intrusion detection, intrusion prevention, vulnerable assessments and firewalls.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Zedekiah J. Worsham
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Research and Training Opportunities System (RTO)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/8/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-4688-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0014, 09-25-0158, and 09-25-0108
5. OMB Information Collection Approval Number: 0925-0299
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Research and Training Opportunities System (RTO)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steve Alves
10. Provide an overview of the system: The Office of Intramural Training & Education (OITE) administers a variety of programs and initiatives to recruit and develop individuals who participate in research training activities on the NIH's main campus in Bethesda, Maryland, as well as other NIH facilities around the country. These activities range from internships at the high school level through postdoctoral and clinical fellowships. To facilitate its recruitment function, the OITE maintains the NIH Research and Training Opportunities (RTO) Web site, http://www2.training.nih.gov, which includes applications and related forms for a range of intramural research training programs. The application system includes a back-end database that functions as a centralized repository of information regarding program applicants. Collection of the information in this system is authorized under 42 USC 282(b)(10), 282(b)(13), 241, 242l, 284(b)(1)(C), 284(b)(1)(K), 42 CFR Part 63, and 42 CFR Part 61, Subpart A. The primary use of this information is to evaluate applicants' qualifications for research training at the NIH.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): FDA investigators and administrators involved in the recruitment/selection of trainees may be given access to the applicant databases. Access is otherwise restricted to authorized NIH investigators and administrators.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The electronic application system collects information, including PII, necessary to evaluate the qualifications of individuals who seek intramural research training opportunities at the NIH. These fields include the following: name, month and day of birth, e-mail address, mailing address, telephone numbers, citizenship status, visa status, TOEFL score, institutional affiliations, courses completed and grades earned, grade point average (GPA), academic major, publications, a resume or curriculum vitae, contact information for up to 3 references, cover letter/personal statement, scientific research interests. Applicants whose citizenship status is Permanent resident are required to provide their Country of Citizenship and Alien Registration Number. Candidates also have the option of voluntarily responding to questions regarding gender, race/national origin, and disability (RNO). RNO data are made available to authorized NIH users in aggregate form only.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is collected through a web-based electronic application system. Applicants are presented with a link to the following Privacy Act Notification Act Statement:
“Collection of this information is authorized under 42 U.S.C. 282(b)(13), 284(b)(1)(C), 241, 242l, 282(b)(10), 284(b)(1)(K), 42 CFR Part 63, and 42 CFR Part 61, Subpart A. The primary use of this information is to evaluate your qualifications for research training at the National Institutes of Health. Additional disclosures may be made to law enforcement agencies concerning violations of law or regulation. Application for this program is voluntary; however, in order for us to process your application, you must complete the required fields.” (Electronic Notice)
Applicants who choose to respond to the separate survey regarding gender, race/national origin, age, and disability are presented with a link to the following instructions:
"This survey is used to collect and analyze data involving race, sex, age, disability, and national origin from applicants for employment. The information you provide will be used for statistical purposes only and will not in any way affect you individually. While completion of this form is voluntary, your cooperation is important to help ensure accurate information regarding employment practices. We ask you to answer each of the questions to the best of your ability. Read each item thoroughly before selecting the appropriate response." (Electronic Notice)
There is no process in place currently to notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Methods are in place to ensure least privilege (i.e., "need to know" and accountability). Accounts to access application data are issued by authorized representatives from the individual ICs. Access to accounts that give the user greater access (to create "read only" accounts and to accept applicants electronically) is controlled by OITE staff. Also, OITE’s Web contractors do not have full administrative rights on development and production servers, and only access specific folders on these servers. Technical Controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system include User Identification, Passwords, Firewall, Virtual Private Network (VPN), Encryption, and Intrusion Detection System (IDS). In December 2010, OITE moved RTO behind Federated Identity Login service (NIH Login). Regarding physical access controls that are currently on the system, the Web, e-mail, and database servers that are maintained in secure NIH buildings at which security guards are posted. Access to the servers is restricted to authorized CIT/OIT individuals with valid Identification Badges.

In addition, the IT contractors are required to adhere to the security guidelines contained in the DHHS Automated Information Systems Security Program (AISSP) Handbook. Software development is performed on servers maintained by the contractor. Staging is on a shared NIH server residing inside the NIH firewall. Development will occur on specific servers maintained by the NIH Office of Information Technology. All contract employees are subject to a National Agency Check and Inquiry Investigation plus a Credit Check (NACIC).
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Steve Alves
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Condition and Disease Categorization Budget Estimating Tool (R-BET)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/5/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4620-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Disease Funding Tracking System (DFTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sylvia Bennett
10. Provide an overview of the system: The NIH will implement the Management Planning and Control (MPC) software from Geac to replace the existing DFTS to enhance the system’s capabilities. The MPC implementation will provide the Office of Budget with an application to consolidate all data related to diseases, conditions and research areas for the NIH; use .NET technology instead of JAVA; save history more efficiently than the existing system; and provide better reporting capabilities both ad-hoc and production. The main MPC database will be in a Microsoft (MS) SQL Server that houses the web interface. The existing DFTS will be the main source of historic data. Approximately 18 years of history will be loaded: 1987-2004 with verification being the responsibility of NIH. The NIH will supply extracted and cleansed data in a format compatible with the Geac Data Loader Utility. DFTS data is available to the public.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system contains disease fund tracking. The information can be sorted into reports based on.
Disease By Year By IC
Disease By IC By FY
Disease Actual vs. Estimate
Disease Comparison By FY
Percentage Change By IC

Other reports/view may be created by NIH staff. DFTS contains no IIF.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Sylvia Bennett
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Portfolio Online Reporting Tools (RePORT)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Research Portfolio Online Reporting Tools: Expenditures and Results (RePORTER)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Onken
10. Provide an overview of the system: NIH RePORTER is an online interface that provides access to NIH-funded research projects and the results (publications and patents) citing this support. Only public information available through other existing websites—NIH grant awards, intramural projects, PubMed references, and patent ID numbers from the US Patent and Trademark Office—is available through RePORTER. Users are able to query the database by entering terms or making fielded selections, and the results of the query are returned in a project listing that includes the project number, subproject identifier (if applicable), project title, contact principal investigator, performing organization, fiscal year of funding, NIH administering and funding Institutes and Centers (IC), and the fiscal year total costs provided by each funding IC.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information on NIH-funded research is shared with the public for transparency and so they can benefit from the results of that research.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: NIH RePORTER provides public access to NIH-funded research projects and the publications and awarded patents that have cited this support. These data are in the public domain and accessible to members of the public from several sources, including the DHHS TAGGS database, Medline, PubMed Central, the NIH Intramural Database, and the US Patent and Trademark Office database. The only PII disseminated is the Principal Investigator name.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification to and consent of Principal Investigators is provided when they apply for a grant through NIH eRA systems.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All information in the system is public information. No PII is collected, stored or disseminated.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: James Onken
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Research Training Programs Web Site [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/17/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0014, 09-25-0108, 09-25-0140, 09-25-0158
5. OMB Information Collection Approval Number: 0925-0299
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Research Training Programs Web Site (RTP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patricia M. Sokolove, PhD
10. Provide an overview of the system: The purpose of the NIH Research Training Programs Web Site (RTP), https://www.training.nih.gov, is to provide access to information regarding NIH intramural training programs and OITE services for prospective and current trainees, staff in the NIH Intramural Research Program, trainees and faculty in the extramural community, and other site visitors.

The RTP site enables OITE to:

 - Increase ease of access to the services provided by OITE for trainees in the NIH IRP
- Deliver high-quality, timely information on NIH intramural training programs to OITE's internal and external constituencies
- Streamline internal user community functions in OITE such as registration for and evaluation of events, lectures, and workshops
- Provide network opportunities for current NIH trainees, program alumni, and NIH staff

The Alumni Database is designed to (1) track where the NIH-IRP trainees go once they leave the NIH; and (2) use the alumni population to further enhance the training experience of the program matriculates; a service already performed by many university alumni databases.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Authorized OITE staff have access to system data via a CMS on the back end. Registered Trainees, NIH/FDA Staff, and Alumni have access to the public profile data of Alumni who indicated their willingness to serve as Networking Contacts. Public profile data are shared to provide networking opportunities for current trainees and other registered users.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: (1) The type of information collected when a user registers for an account on the RTP site varies by user type, as follows (fields marked with an asterisk are required):

{ All users }
- User Type* [Current NIH Trainee/Fellow, Current NIH Staff, Guest, or Alumni]

{ Current NIH Trainee/Fellow account fields }
- NIH ID/Badge Number*
- Institute/Center (IC)*
- Campus
- Trainee Type*
- Current NIH Training Program*
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- E-mail* (must be a valid, working NIH or FDA e-mail address)
- Permanent E-mail*
- Preferred E-mail Address
- Password*

{ Current NIH Staff account fields }
- NIH ID/Badge Number*
- Institute/Center (IC)*
- Campus
- Current NIH Position*
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- E-mail* (must be a valid, working NIH or FDA e-mail address)
- Password*

{ Guest account fields }
- Highest Education Level*
- Current Institution
- Honorary Title (Mr., Ms., Dr., etc)
- First Name*
- Middle Name
- Last Name*
- E-mail*
- Password*

{ Alumni account fields }
- Honorary Title
- First Name*
- Middle Name
- Last Name*
- Suffix
- Street
- City
- State
- Zip
- Country
- Phone Number
- Fax Number
- Permanent E-mail*
- Password*

NIH History
- Institute/Center (IC)*
- NIH Training Program*
- When were you at the NIH for this program*
- NIH PI
- Current Status* [Continuing high school, Entering a bachelor's degree program, etc.]

Education
- School*
- City*
- State*
- Country
- Degree(s)*
- Date of Degree Receipt
- Major/Option/Program (If applicable)
- Current Institution ("I am currently enrolled at this institution") [Yes/No]

Employment
- Organization*
- Department
- City*
- State*
- Country
- Job Title/Function*
- Annual Salary
- Description of Bonus/Benefits
- Additional Comments
- Employment Sector (Academic - Research University, Academic - University, primarily teaching, etc.)
- Current Institution ("I am currently employed by this institution") [Yes/No]
- Dates of Employment*

 - Networking Contact* [Yes/No]
("Are you willing to serve as a networking contact for NIH trainees? We anticipate that they might seek your advice on career planning, the graduate/professional school application process, the job search process, or your particular position? Please note that only your name, place of employment/education, your NIH trainee status, and your preferred method of contact will be displayed if you choose to volunteer as a networking contact. Note: By clicking yes, you are authorizing OITE to include you in the searchable database. By clicking no, you will not be included in any search results provided to the public.")

 - Career Counselor Contact* [Yes/No]
("Would you be willing to be a contact for career counselors in the Office of Intramural Training & Education at the NIH or OITE staff organizing training events?")

 - Contact Method [E-mail/Phone]

(2) The purpose of the RTP system is to provide access to training information and OITE services for prospective and current trainees, staff in the NIH Intramural Research Program, trainees and faculty in the extramural community, and other site visitors. Access to some information is restricted to certain user groups. The purpose of the Alumni Database is (1) to welcome current NIH Intramural scientists and trainees, alumni of the NIH Intramural community, and scientists in the broader community interested in learning more about the NIH intramural community, and (2) to promote networking in, and across disciplines, in the sciences.

(3) The information collected contains PII.

(4) Submission of personal information is voluntary; however, in order to access certain information (e.g.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1) At present, there is no process in place to notify and obtain consent from individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection).

(2) The following text appears at the top of the Alumni Database registration form (https://www.training.nih.gov/alumni/register):

Thank you for taking the time to create an entry for yourself in the NIH Alumni Database. This is a new venture for the NIH Office of Intramural Training & Education (OITE) and we have big plans.

You may be wondering why you should take the time to complete the brief form below today and keep your entry up to date in the future. Here are several reasons:

 - First, what's in it for YOU? Networking! You will be helping to create a searchable database of potential colleagues that you can mine to meet your own needs and those of your students and friends. But, in addition
- The OITE invites former NIH trainees to speak at events like the Career Symposium and the National Graduate Student Research Festival. The success of those ventures depends on our keeping in contact with a diverse group of NIH alumni that could include you.
- Applicants to NIH training programs often want to know where program participants go next. Where do NIH postbacs go to graduate or professional school? Where do NIH postdocs find jobs? You can help us provide those data.
- If you wish, you can become part of a worldwide network of NIH alumni who are willing to answer current trainees' questions about schools and jobs.

Database Rules:

- Information that you enter into the database will be made public e.g., to applicants to NIH programs or in publications describing NIH programs, only in the aggregate; no personally identifiable information will be published.
- Your personally identifiable information (see below) will be included in the searchable database only if you authorize the OITE to include it. You can change your mind at any time.
- Only former NIH trainees with entries in the Alumni/ae Database, current NIH trainees, and NIH staff will be able to search the Database.
- You can update your educational and/or employment history and preferences at any time.

(3) Authorized OITE staff have access to system data via a CMS on the back end. Registered Trainees, NIH/FDA Staff, and Alumni have access to the public profile data of Alumni who indicated their willingness to serve as Networking Contacts. Authorized users must log in in order to access the Alumni Database. Public profile data include the following fields:

 - First Name
- Middle Name
- Last Name
- Suffix
- Preferred method of contact (Phone Number or Permanent E-mail)
- Institute/Center (IC)
- NIH Training Program
- When were you at the NIH for this program
- NIH PI
- Organization
- Department
- City
- State
- Country
- Job Title/Function
- Employment Sector
- Current Institution
- Dates of Employment
- School
- City
- State
- Country
- Degree(s)
- Date of Degree Receipt
- Major/Option/Program
- Current Institution
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: An individual who creates an account must provide a valid, working e-mail address as part of the registration process. Upon submitting his account information, the user receives an e-mail message containing an account activation link. A user wishing to create a Trainee or NIH/FDA Staff account must provide an e-mail address ending in nih.gov or fda.hhs.gov. The account activation message is sent to this e-mail address (even if the user's preferred e-mail address is his permanent e-mail address).

Once a user activates her account, she can modify her profile whenever desired by logging on to the system. User passwords are not visible to any users, including OITE staff.

Access to the Alumni Database is restricted to holders of registered Trainees, NIH/FDA Staff, and Alumni. Guest users are not authorized to access this part of the system.

The data collected and stored in the RTP system are hosted on servers located in Equinix, see http://www.equinix.com/ for specific details on the hosting environment and security elements.

Physical access to the hosting environment in Equinix requires visit letters, photo badge, biometric screening and pre-authorized. Equinix is certified SAS Type 1 and 2 data center with 24x7x365 security staff, access controls, biometric controls, physically separated data spaces and camera inside/outside the facility.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Safety Reporting Portal
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 8/9/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0200 (Clinical, Basic and Population-Based Research Study Records)
5. OMB Information Collection Approval Number: 0910-0645
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Safety Reporting Portal (SRP)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kelly Fennington
10. Provide an overview of the system: The Safety Reporting Portal Project (SRP) was initiated in order to develop a single portal for the electronic submission and analysis of adverse event data in a standardized format to accommodate existing Federal requirements. The SRP will result in a Web-based method for consumers, health professionals, investigators, sponsors, and other parties to electronically submit adverse event reports and other safety information (e.g., consumer complaint and product problem reports) utilizing applicable data sets. The portal will employ an interactive help system that will help reporters determine what specific data need to be submitted and to whom. The system will utilize electronic data exchange standards to make this resource available to anyone needing to report either post- or pre-market adverse event information to FDA or NIH. This collaborative project is expected to create tools that will allow any user to submit adverse event information that corresponds to a wide range of forms already in use by many agencies.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII may be entered into the system by various stakeholders, including consumers, health professionals, investigators, and sponsors. The system will share or disclose PII to NIH and FDA for the purpose of electronically submitting adverse event reports and other safety information (e.g., consumer complaint and product problem reports).
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The portal will employ an interactive help system that will help reporters determine what specific data needs to be submitted and to whom. The system will be available to anyone needing to report either post- or pre-market adverse event information to FDA or NIH. This collaborative project is expected to create tools that will allow any user to submit adverse event information that corresponds to a wide range of forms already in use by many agencies, i.e., FDA Form 1005,1002, VICH GL42 and GeMCRIS.

In each case, the Government Authorization for collecting PII is the same as it is per the corresponding form currently in use today (e.g. section 519 of the Federal Food, Drug, and Cosmetic Act for post-market medical device reporting). The information described on the existing and corresponding forms will be requested through the SRP. The type of PII included in these reports and whether submission of personal information is voluntary or mandatory depends on the type of report and whether it is an initial report or a follow-up report.

In general, the system has the capability to include PII relating to:
q General Notification Information (e.g. Provider/Physician Name, reporter name , Manufacturer contact name etc)
q Subject Demographic Information (including Patient Identifier, Patient/Owner Name and address, Patient’s age/DOB, gender, race, height, weight, family information, phone number, email etc)
q Medical and Event Information (including Adverse Event description containing event outcome, symptoms, reactions, diagnosis, lab results, autopsy information, vaccine information, subject medical history, interventions, observations, and may also include attachments of medical records).

A more detailed analysis of the types of information to be contained in the system, including PII, has been documented in the System Security Plan under “System Security Categorization”.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) A Notice of Privacy Practices (NPP) will be posted on the Portal.
Consent from users is not required: Law mandates what PII must be collected in mandatory reports.
In voluntary reports, the entering of PII is not mandatory.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical: Guards, identification badges, key cards, cipher locks and closed circuit TV.
Administrative: System security plan, contingency (or backup) plan, user manuals for the system and methods are in place to ensure least privilege.
Technical: User Identification, passwords, and encryption.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 1/20/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Science and Technology for America's Reinvestment (STAR) Measuring the Effect of Research on Innovation, Competitiveness and Science (METRICS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Science and Technology for America’s Reinvestment: Measuring the EffecTs of Research on Innovation, Competitiveness and Science
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jack Vinner
10. Provide an overview of the system: STAR METRICS is being created in direct response to OMB and OSTP’s request that Federal agencies “develop outcome-oriented goals for their science and technology activities, establish procedures and timelines for evaluating the performance of these activities, and target investments toward high-performing programs. Agencies should develop ‘science of science policy’ tools that can improve management of their research and development portfolios and better assess the impact of their science and technology investments. Sound science should inform policy decisions, and agencies should invest in relevant science and technology as appropriate.”[1]

Although the importance of public investments in science, technology, and innovation is understood, the rationale for specific scientific investment decisions lacks a strong theoretical and empirical basis. Accordingly, given the magnitude of the Federal investment and the importance of that investment to our Nation, science policy decision makers must have at their disposal the most rigorous tools, methods and data that will enable them to develop sound and cost-effective investment strategies.

The Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) asked federal agencies to respond to questions about the impact of federal investments in science, particularly with respect to job creation and economic growth. It is important to collect and analyze data so that such questions can be credibly answered. Currently, the tools available for generating empirical data that would reflect this collective value of the government’s grant-based investments in science and technology are inadequate. Additionally, there is currently no data infrastructure that identifies the universe of individuals funded by federal science agencies (PIs, coPIs, graduate and undergraduate students, lab technicians, science administrators, etc.) and that systematically couples science funding with the outcomes generated by those individuals.

STAR METRICS is a web based application that allows authorized users to upload and manage reporting for federal grants in science and technology. Many pages of the STAR METRICS site are available to users without authentication and authorization. These pages will contain content embedded in the HTML, with no reliance on databases or other software. These pages describe items such a:
· Program overview
· Upcoming events
· Participation guidance
· Data field description
· Frequently Asked Questions
In order to gain access to restricted content and functionality of the STAR METRICS site, users must have an account supported by NIH Federated Login (i.e. NIH, NIH-External, InCommon, etc.) and must be authorized for access. STAR METRICS administrators can authorize users by assigning one or more roles to the user account for one or more organizations (research institutes and/or federal agencies). Access requests are approved and the proper permissions assigned based on the roles a user will perform for his/her affiliated organization. Once a user has an account in NIH-External or another NIH-supported user repository, STAR METRICS project administrators grant access to the site and its functionality by creating a user record associating a user’s username to a unique identifier. The administrator then manually assigns one or more roles to the user account. This process is accomplished by using tools available to project administrators only, such as SQL scripts.

Access to the STAR METRICS website is enforced using a role-based permission scheme. Authorized users may be assigned one or more roles depending on the level of access required. The following table summarizes the roles.
RolePermissions Granted
Guest· View public content
This is the default role if no other roles are assigned.
Consumer· View data processing status for the organization(s) for which the role is as
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: General Overview: Anonymized administrative records are expected to be received from universities. These records will be used to develop measurable outcomes such as jobs and FTEs funded by federal and stimulus science research grant programs. In addition, the data will be matched at the PI level, from publicly available data, with external data bases such as the patents registry[1] and information about citations and publications for the PIs. This, however, will only be performed by participating universities, not the NIH.

(1) The information the agency will collect, maintain, or disseminate:
a. Awards Compensation – People & Payroll Records

· Anonymized unique Employee ID’s (not Social Security number) of grant funded personnel
· Occupational Classification
· Federal Award ID number (as provided by the federal grant provider)
· Hours/time charged against the grant account(s) by individual
· Proportion of wages paid to this person for this award at designated pay periods.
· Universities will provide an additional column for FTEs (allocation)
b. Overhead Charges
· Approved overhead rate (this is a complex number, because the overhead rate is different from the actual overhead in many cases).
· Provide the most recent detailed justification of overhead costs approved by your cognizant agency.
c. Non-Payroll Charges
· Actual non-payroll charges
· For the non-payroll charges against Awards, information regarding nature of the charge (contract, purchase, invoice, etc), recipient and amount would be useful
d. Subcontract/Sub-awards
Universities will provide a column for sub-award/subcontract costs budgeted under that award that month

(2) Why and for what purpose the agency will use the information:
a. To respond to the ARRA requirement to produce estimates of job creation and retention associated with the Stimulus funds
b. To respond to the OMB and OSTP requirement that federal agencies manage their portfolios by using sound science, developing datasets, measuring outcomes and evaluating performance.[2]
c. The 2008 Advisory Committee for the Government Performance Reinvestment Act GPRA recommended that NSF “consider ways to convey the long view of NSF investments in science and engineering” and “track future outcomes from people trained and supported by the Foundation.” The committee noted that it takes time¿up to 20 years¿to move from a scientific discovery to a societal impact or market innovation, and it similarly takes time for human capital to develop after the educational investment has been made. If allowed to take a longer perspective, NSF could make the dynamic relationships between strategic goals and outcomes more clear. A performance assessment framework must use a diverse set of measures, timescales, and types of evidence. An annual reporting schedule limits discussion of long-term outcomes, which are the most meaningful for evaluating basic research and education.
d. To respond to the call from the Science of Science Policy Working Group established by the Office of Science and Technology Policy NSTC Committee on Science That group was charged with developing an evidence-based framework for making policy investments in research and development. Its December 2008 Science of Science Policy Roadmap, articulates the need for and absence of a data infrastructure on which science policy decisions can be based. Such an infrastructure requires information on the universe of individuals funded by federal science agencies (PIs, coPIs, graduate and undergraduate students, lab technicians, science administrators, etc.) and systematically couples science funding with the short term and long term outcomes generated by those individuals.


(3) Explicitly indicate whether the information contains PII:
a. No

(4) Whether submission of personal information is volunt
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII is collected or maintained on the system.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD SciLife
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/9/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: No:included in the existing mentoring project by OBSSR
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0014
5. OMB Information Collection Approval Number: 0925-0475
6. Other Identifying Number(s): None
7. System Name (Align with system Item name): SciLife
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Bruce Fuchs
10. Provide an overview of the system: To engage high school students in underserved communities through a series of practical workshops on career exploration and college planning. One of the leading occupational choices for both males and females is health care. This is encouraging because 9 of the 20 occupations projected to grow the fastest over the next 10 years are in health care (Bureau of Labor Statistics, 2002, 2003; Thompson and Chao, 2003). However, students who choose this field more often than not state that they plan to be doctors, and few can name other kinds of medical careers (CIEWD, 2002). The National Institutes of Health (NIH) Office of Science Education (OSE) provides the LifeWorks™ Web site as a tool for students to use to raise their awareness about the broad range of health and medical science career pathways and to help them make career decisions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 09-25-0014
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1 & 2. OSE will collect names, addressess and emails for the pupose of registration for SciLife program.

3. Yes, we collect names, addresses and emails.

4. The submission is voluntary if they want to register for the program.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) 1. The information is used for contacting the customers only. We notify them via email for changes if any.

2. We collect PII information for our internal registration use only. We don't not give out their information.

3. We do not give out PII information other than required by law.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Regular access to information is limited to National Institutes of Health, Office of Science Education (OSE) contractors and employees who are conducting, reviewing or contributing to the SciLife 2008 program. Other access is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the system manager or designated responsible official.
Physical Safeguards: Severs where documents are stored are in closed, restricted buildings, in areas which are not accessible to unauthorized users, and in facilities which are locked when not in use. Records collected for this project are maintained separately from those of other projects. Sensitive records are not left exposed to unauthorized persons at any time. Sensitive data in machine-readable form may be encrypted. Faxed permission forms are received in secure, electronic form.
Technical Controls: Access to records is controlled by responsible employees and is granted only to authorized individuals whose identities are properly verified. Data stored in computers is accessed only through authentication by authorized personnel. When personal computers are used, magnetic media (e.g. diskettes, CD-ROMs, etc.) are protected as under Physical Safeguards. When data is stored within a personal computer (i.e., on a "hard disk"), the machine itself is treated as though it were a record, or records, under Physical Safeguards. Contracts for operation of this system of records require protection of the records in accordance with these safeguards; OSE project and contracting officers monitor contractor compliance.
http://oma.od.nih.gov/ms/privacy/pa-files/0156.htm
RETENTION AND DISPOSAL:
Records are retained and disposed of under the authority of the NIH Records Control Schedule contained in NIH Manual Chapter 1743, Appendix 1 - "Keeping and Destroying Records" (HHS Records Management Manual, Appendix B-361), item 1100-C-2. Refer to the NIH Manual Chapter for specific disposition instructions.
SYSTEM MANAGER(S) AND ADDRESS(ES):
See Appendix I.
Policy coordination for this system is provided by: Acting Director, Office of Reports and Analysis, Office of Extramural Research, Office of the Director (OD), Building 1, Room 252, 1 Center Drive, Bethesda, MD 20892.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Secure Payee Registration System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Secure Payee Registration System (SPRS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karen Logue
10. Provide an overview of the system: The Office of Financial Management (OFM) Secure Payee Registration System (SPRS, pronounced “spurs”) was designed to directly replace the use of the Central Contractor Registry (CCR) in the SREA Payment and Reporting System (SREA PRS) used by OFM and the Center for Scientific Review (CSR) to pay individuals for their participation in the peer review process. SPRS is a web-based application which collects and stores information required by the US Treasury and the IRS to make payments to individuals and handle appropriate year-end reporting. SPRS was designed to be flexible enough to accommodate multiple associated payment applications (“partner applications”), like SREA PRS, so that eventually OFM will have a single repository of this sensitive information instead of having various gap systems collecting and maintaining their own data separately.

SPRS allows for the secure authentication of individuals who can modify their own registration data. Further modification of the data is limited to select OFM personnel. In this way SPRS puts the control of the individuals’ data (and the responsibility of keeping it up to date) back in their own hands, freeing OFM staff for other tasks. SPRS is a private system, and the data in SPRS is only for use by OFM staff and others who have a role in making sure the registrants get paid. Particularly sensitive data in SPRS is encrypted before it is stored to prevent compromise of the data in the case of theft.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PII for the individuals registered in the system is shared with the US Treasury for the purposes of paying the individuals for their services. The information is also sent to the NIH Central Accounting System to track the payments. Finally, administrative users of the system have access to the information for the purposes of correcting errors and troubleshooting problems related to individual registrations and payments.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: For each registrant SPRS collects and maintains a history of the user’s login name*, first*, middle, and last name*, Social Security Number, mailing address*, email address*, bank account number, bank routing number, and bank account type (* indicates mandatory). The information will be used to pay the individuals for their services rendered or amounts otherwise due to them from NIH. Information collected is PII. Submission of PII is mandatory in order to receive payment from the NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No process exists for notifying individuals of major changes to the system or use of the information – no changes are planned. Should such a change occur that would require notification, the individuals would likely be notified by email.

In the case of the SREA PRS peer application, during registration, the individuals actively supply their SSN and banking information. A description of the use of this information is available in a Frequently Asked Questions (FAQ) page available to registrants. Their name, mailing address, and email address are imported from the eRA Commons/IMPAC II system; notice for use of this information is not mentioned in the FAQ.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The externally-accessible site is protected by NIH Login, and the only information accessible on the external site is that of the user (registrant) logging in. There is no access to other registrants’ information from the external site regardless of login. The sensitive information (SSN, bank account information) entered by these users is encrypted in the database to prevent unauthorized access. The internal site is similarly protected by NIH Login and can only be accessed from systems on the NIH campus or via VPN. Only users authorized to access the internal site my log in, and by default these users do not have access to SSN or banking information of the registrants. Access may be granted to view and change this sensitive information by the system owner if it is deemed necessary for the proper operation of the system (troubleshooting problems, for example). The web server and database server that comprise the system are subject to the physical controls imposed by the hosting centers.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 3/20/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Status of Funds Internet Edition (SOFie)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/4/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Status of Funds, Internet Edition (SOFie)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Pat Porter or Deepak Mathur
10. Provide an overview of the system: SOFie is a reporting ttool that allows an Institute/Center (IC) to manipulate and report on financial transactions and general accounting information download fron the NIH Central Accounting System (CAS). It tracks budget allocations, open commitments, obligations, invoicing and payments. Transactions are passed through other systems and then downloaded, or linked int the shared data system nVision Data Warehoise, where it is then uploaded into SOFie and eported to Excel. Downloads are processed on a daily basis, generally in the evening hours to ensure all allocation entries and adjustments have been captured in real time. The daily downloads allow administrative and management staff to acccurately report on the budgets established within the IC office, laboratory, section or branch. Financial Transaction Accounting Structure (MAS). The MAS groups the CANS into summary levels which include the appropriation source, allotment number, budget activity, allowance name, cost cener, and CAN is tied to a project Number, categorized by the Object Class Code (OC), and summarized and itemized by individual Document Numbers assigned for reference purposes. Additional manipulation is possible to track expenses by month of fiscal year, by data range, and through several stages of the acquisition process.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Fiscal year operational information and general accounting data is downloaded from the NIH Central Accounting System (CAS) into a commercial, Off-the-shelf (COTS) software product purchased by the Institute/Center (IC) and exported to Excel. The financial infiramtion is specific to the IC and is organized by category (Ex. Salary, benefit, aaward, appropriation, cental services, etc). It can be stored by organizational code, object class code, date or amount of a commitment, expenditure, or obligation, etc. The system contains no personally identifiable information (PII) on any individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 10/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Stem Cell Survey Database
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/7/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0106
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH Human Stem Cell Guidelines Comments Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Turley
10. Provide an overview of the system: A web based form is provided that asks the public to comment on the "Draft NIH Human Stem Cell Guidelines" policy (URL http://nihoerextra.nih.gov). Three data items are asked for:
Name, Affiliation and Comments. The name is the only piece of data that is PII and it is optional. The web server will insert the comments in an MS SQL 2005 database. The comments will all be publically available.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Respondents are notified that the data items listed in answer 10 will all be publically available.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Question 10 lists the data that will be voluntarily collected. PII data submission is voluntary (first and last name is the only PII collected).
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Respondents are notified while they are fillling out the comment form that the only PII data item asked for is optional. The comments provided will be considered by the Federal Government while shaping Human Stem Cell Usage policies.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls are in place including guards, keycards, and ID badges.

Administrative controls are in place that ensure least privlege for each user group as appropriate. System administrators will have full access, but the general public will only be able to submit and browse survey responses. All system administrators take required training each year to ensure they understand how to secure information systems and PII data properly.

Technical controls are in place to ensure that those with access to sensitive data and systems use industry accepted best practices to secure login credentials. A corporate firewall is in place that only allows web traffic from outside of NIH, all other firewall ports are closed to prevent outside intrusion.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Promoted by Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Strategic Initiatives Database [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/20/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0036
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): OD Strategic Initiatives Database (SID)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Scott Jackson
10. Provide an overview of the system: The new Strategic Initiatives Database (SID) provides a robust, scalable, and relational database environment that will store the data and business rules (procedures) required to maintain the strategic initiative budgetary information for forecasting and extensive reporting. It also includes a graphical user interface (GUI) that will be highly deployable by reducing the points of deployment to a single location – the Internet. The SID will allow the OD Office of Portfolio Analysis and Strategic Initiatives (OPASI) to access their workloads and will provide them with the tools to print standard and ad hoc reports that meet their daily requirements for financial grant information. The SID will allow budget officers across the enterprise to acquire data (via a secure GUI) for their own budgetary processes. Similarly, the SID controls user access to allow specific data to be viewed only by relevant Users by use of Active Directory (AD) and database security controls.

As a result, the OD OPASI can expedite budgetary changes by applying the changes to the SID data, making forecasting and reporting data immediately reflect accurate, real-time modifications to grant financial information before the effects take place in the IMPACII or DataWarehouse databases. This step circumvents the time-costly need to wait for updates to IMPACII or DataWarehouse data, which often take several days or weeks to reconcile if the results there are incorrect. With the SID, the numbers are made available immediately (and later reconciled with the IMPACII and DataWarehouse databases) or immediately rectified when problems become apparent.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is obtained from the eRA system and shared with NIH Budget and Program staff to assist with tracking the funding of research grants IAW SOR# 09-25-0036.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The new SID will store business data include name, phone number, and e-mail addresses, which are required to maintain the strategic initiative budgetary information for forecasting and extensive reporting. It also includes a graphical user interface (GUI) that will be highly deployable by reducing the points of deployment to a single location – the Internet. The system contains IIF that is a required part of the grant application.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF is submitted as a part of the grant application process. Information used by the OD Strategic Initiatives Database (SID) is taken from the ERA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the Grant application submission process.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF in the system will be secured using administrative controls such as least privilege access, which allows for role-based security measure to be in place. Technical controls include single sign-on using user name and password, housing the system behind a firewall in a server room with no external access, and implementing an intrusion detection system. Physical access controls include guards, identification badges, and key cards. All personnel not having card key access are escorted.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/30/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Technology Tracking System (TechTracs)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/2/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4621-00-110-219
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0168
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): TechTracS
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stephen Finley
10. Provide an overview of the system: NIH TechTracS is a relational database management system that manages and monitors all aspects of the technology transfer process; i.e., CRADAs, invention disclosures, U.S. and foreign patent prosecution, license applications and agreements, technology, marketing, royalties’ collection, technology abstracts, statistics, and financial management.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): 1) Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
2) Disclosure may be made to the Department of Justice or to a court or other tribunal from this system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected. Disclosure may also be made to the Department of Justice to obtain legal advice concerning issues raised by the records in this system.
3) NIH may disclose records to Department contractors and subcontractors for the purpose of collecting, compiling, aggregating, analyzing, or refining records in the system. Contractors maintain, and are also required to ensure that subcontractors maintain, Privacy Act safeguards with respect to such records.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1)The OTT will collect and store inventor name, address, NED Unique Identifier(SSN required if inventor is receiving royalties and non-NIH employee), title and description of the invention, Employee Invention Report (EIR) number, Case/Serial Number, prior art related to the invention, evaluation of the commercial potential of the invention, prospective licensees intended development of the invention, associated patent prosecution and licensing documents and royalty payment information.
2) The OTT will collect this information to obtain patent protection for PHS inventions and licenses for these patents to: (a) scientific personnel, both in this agency and other Government agencies, and in non-Governmental organizations such as universities, who possess the expertise to understand the invention and evaluate its importance as a scientific advance; (b) contract patent counsel and their employees and foreign contract personnel retained by the Department for patent searching and prosecution in both the United States and foreign patent offices; (c) all other Government agencies whom PHS contacts regarding the possible use, interest in, or ownership rights in PHS inventions; (d) prospective licensees or technology finders who may further make the invention available to the public through sale or use; (e) the United States and foreign patent offices involved in the filing of PHS patent applications.
3) The information collected contains PII (Social Security Numbers) for non-NIH inventors who are to receive royalty payments.
4) The submission of the SSN by non-NIH inventors is mandatory only if they are to receive royalties.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Any changes that are made to the information collected would be provided via our website and on any updated EIR. We also have the capability to send e-mails directly to individuals from TechTracS. We have not had any significant changes to this data since TechTracS was launched and have not had to do this.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Through the use of limited field access to the system administrator, and user id, passwords, the NIH firewall, and intrusion detection systems. The SSN field is viewable only by the system administrator. The front doors to OTT require a key card to access as does the server storage room. New security safeguards for the protection of SSNs and other personally identifiable information are being made to the system in that the NED ID Badge Number is being used as a substitute for the SSN in some cases. The OTT will work with its ISSO to address additional security measures with the new Tech Tracs system and look for possible solutions at the earliest opportunity.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Susan Bruff
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Woman of Color Research Network
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: 
1. Date of this Submission: 8/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0156
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH OD Women of Color Research Network (WoCRn)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: J Taylor Harden, PhD taylor_harden@nih.gov or cerise_elliott@nih.gov
10. Provide an overview of the system: The NIH OD Women of Color Research Network (WoCRn) is a web-based application to engage and build a community of scholars and women of color in biomedical research. Members of the WoCRn are volunteers who self-identify as women of color or who are interested in issues of women of color in biomedical research. The network will be a key component of the NIH and OD Office of Research on Women’s Health (ORWH) outreach efforts to provide technical and capacity-building assistance to communities of color, constituencies of NIH staff, and other relevant community-based organizations and institutions serving racial and ethnic minority and women’s populations
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares or discloses PII with NIH, the wider scientific community and any member of the public, through closed membership, for the purpose of providing opportunities for women of color to network and receive mentoring and contribute to expanding the diversity of the scientific workforce.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) The National Institutes of Health (NIH), through the efforts of the NIH Working Group on Women in Biomedical Careers, is pursuing innovative actions to enhance the inclusion of Women of Color (WOC) in biomedical research careers. WOC face challenges related to both sex/gender and race/ethnicity, the combination of which warrants specific attention. The Women of Color Research Network (WOCRN) is one way that NIH hopes to ensure that the unique career challenges faced by WOC are addressed, including recruitment, retention, promotion, and mentoring. It is intended to open doors to new collaborations, career development opportunities, and to provide new avenues for those interested in diversity to connect and interact.

The WOCRN includes career resources, a forum for the exchange of ideas, and a registry where participants can identify themselves, their expertise, and their interests, and can seek out a mentor, a mentee, or both. It provides a platform and source of information for those interested in supporting WOC in biomedical and behavioral research.

The WOCRN is intended to provide opportunities for networking and mentoring for WOC with each other, the NIH, the wider scientific community, and any member who would like to contribute to expanding the diversity of the scientific workforce. Periodically, members may receive email alerts from the NIH and the Office of Research on Women’s Health noting upcoming events, invitations to participate in review, and notice of relevant advances in science. This network was designed with the hopes that active participation will help prepare and promote the participation of talented women and men of all backgrounds in the scientific workforce.
2) The information in the system will be used for outreach and to aid in diversification of the NIH workforce.
3) The information in the system includes PII.
4) Submission of PII is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) (1)Voluntary submission of PII onto the system will represent the voluntary consent of the individual. A statement attesting to the same is included on the web entry page. Following NIH best practices, when changes to the system are made an electronic announcement will be placed prominently on the system homepage. (2) see preceding paragraph (3) Information will be shared in an electronic format with other registered members and staff of the NIH that also register on the system.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PII will be secured by user-selected passwords with strong password complexity and expiration policies enforced. Web and database servers are dedicated machines maintained in a secure data center with strong physical access controls and continuous monitoring implemented.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine Jones and/or Karen Pla
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 11/14/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH OD Workflow information Tracking System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 7/27/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4698-00-403-232
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Workflow information Tracking System (WiTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terrye Verge
10. Provide an overview of the system: WiTS is a workflow management system that will provide corporate consistency through business process management and automated workflows. This automated workflow system enables HR to monitor and track the status of a vast array of actions, correspondence and approvals. It enables the HR to track the location, responsible person/body, action status, action effective/due date, etc., of personnel and other HR actions (i.e., awards, employee relations, correspondence, FOIA requests, etc.); with system access, WiTS can communicate status of actions to administrative staff and management officials through its monitoring views; allow for the measuring of performance of HR staff (trend analysis); identify improvement areas; identify staff skill and competency in HR areas; provide a variety of reports (i.e. workload, gain/loss); and promote/facilitate the provision of customer service through improved communication and timeliness in completing actions. WiTS is secure and web-enabled, and with appropriate remote privileges, can be accessed over the Internet from anywhere.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HR management & staff and IC management officials. SOR#09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information provided in HR status/informati­onal/metric/performance reports. PIA is mandatory for metric reporting purposes. No personal information (other than name) is captured in the reports – only metrics associated with the HR action.
WiTS collects data on personnel actions processed within HR (e.g., action type, employee name, Empl ID, DOB, Address, effective date, IC). The agency uses the data to provide performance metrics to HR and NIH management. The collection of minimal personal data is mandatory for reporting.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) WiTS collects minimal personal data, e.g., name, DOB, Addresses, Empl ID, organization, etc. It does not collect SSN; therefore, no employee consent is obtained. WiTS sends emails to supervisors and users and when changes in profiles/account­s are requested by supervisors and made in WITS. Send all users notice via LiSTSERV when changes in system occur. Notices are in the form of electronic mail.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: WiTS uses NIH Single Sign On to manage access and remaining security via the GSS.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Antoine D. Jones
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Pla
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORF Constructware
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/5/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3344-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Constructware
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jon Sweeney
10. Provide an overview of the system: Constructware is the Construction Project Management System for ORF.

Constructware provides tools for project management in the area of capital facilities programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Collects information regarding ongoing construction projects within NIH.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Colleen Guay Broder 301-594-1713
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORF Enviroware
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3343-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): Enviroware
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Mohammadi & Kenny Floyd
10. Provide an overview of the system: Enviroware is a waste management tracking software application which electronically tracks the management of hazardous waste generated at the NIH main campus and off-site facilities. Enviroware also provides various management reports and regulatory required documents to the Maryland Department of Environment and Environmental Protection Agency.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Some of the reports generated by Enviroware list the name, work phone number, building, and room number of NIH waste generators. These reports are used to performed service requests, provide cradle to grave waste tracking and provide data to assist with waste reduction initiatives. These reports are shared with NIH chemical waste contractors and other NIH component as appropriate. The submission such information, i.e. name, work phone number, building, and room number, is required to create and complete waste service requests.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A. Contact information is collected from waste generators when they call to request waste management services.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Animal Facility Environmental Monitor [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Animal Facility Envinronmental Monitor [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ivan Locke, System Owner, (301) 435-2118
10. Provide an overview of the system: Animal Facility Environmental Monitor (AFEM) is a National Institutes of Health (NIH) application/system that has been categorized as a Major Application. The AFEM application resides on NIHnet and consists of several workstations running Microsoft Access and SQL databases at the following locations: 1) the main NIH campus in Bethesda; 2) Rockville; and 3) Poolesville. With the exception of the Ambulatory Care Research Facility (ACRF) floor monitoring workstations in Building 10, AFEM workstations pull data directly from panels on both the Johnson Controls (FACnet LAN) and Siemens (Man-machine Interface (MMI)) modules of the Building Automation System (BAS). The AFEM application has the following functionality:
• Individualized (customized by IC/Facility/Accreditation cycle) alarming and historical reporting and trending of temperature, humidity, air changes, supply and exhaust airflow, directional pressures, and lighting parameters. Point values are polled from the BAS in 15 minute intervals, lighting trends are polled from the BAS in 60 minute intervals.
• A repository for facilities related information (floor plans, building system drawings, etc.) in support of IC Animal Facility daily operations.
AFEM reports alarms based on the BAS (Siemens or Johnson Controls) provided status of the point. The historical reporting and trending portion of AFEM’s functionality is used to help maintain AAALAC (Association for Assessment and Accreditation of Laboratory Animal Care) accreditation.
Note: Per the NIH COOP, AFEM service/functions are at the highest priority in the ORF Risk Management Model.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) AFEM collects the following information directly from the Building Automation System (BAS): status point values for temperature, humidity, air changes, supply and exhaust airflow, directional pressures and lighting parameters; 2) AFEM collects the information for the purpose of monitoring the changes in status point values over time in order to provide an alarming capability (in the event status point value changes are not within certain parameters) and historical reporting necessary to maintain accreditation from the Association for Assessment and Accreditation of Laboratory Animal Care (referred to as AAALAC accreditation); 3) None of the information contains PII; and 4) AFEM does not store personal information of any kind.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) AFEM does not collect, maintain or otherwise dissemeniate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 5/14/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Application Hosting Environment [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 5/10/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3358-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): n/a
7. System Name (Align with system Item name): ORS/ORF Application Hosting Environment
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Ashtiani
10. Provide an overview of the system: The ORS/ORF Application Hosting Environment is the underlying server and security infrastructure that provides the hosting capability for ORS/ORF applications. AHE is mainly a Microsoft Windows- based environment running on multiple versions of windows to support different business processes. The majority of the equipment is located in Building 12, while the rest of the equipment is located in a server room in Building 10. In addition to the Widows Operating System, AHE consists of the following products: MS SQL, Oracle, EMC and SATA SAN storage devices and management tools such the Symantec NetBackup and virtual tape library which administer the AHE environment. Information stored by AHE is considered generic IT information and does not contain Personally Identifiable Information (PII) as well as clinical data. Most applications hosted in this enviroment are hosted on VMWare ESX virtual servers; a small number of applications reside on dedicated servers. ORS major applications and supporting data are beyond the accreditation boundary of AHE C&A effort.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: AHE does not collect, maintain or dissiminate PII information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) n/a
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: n/a
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Cyclotron Exhaust Radiation Monitoring System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): CF660DED-FDBB-43B6-9EAF-885B4DE51902
7. System Name (Align with system Item name): NIH ORS Cyclotron Exhaust Radiation Monitoring System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Roberson, (301) 496-5774
10. Provide an overview of the system: The Cyclotron Exhaust Radiation Monitoring System (CERMS) is a National Institutes of Health (NIH) Office of Research Facilities (ORF) application/system that has been categorized as a Major Application. The CERMS is located in Buildings 10 and 21 of the main NIH Bethesda campus and is responsible for monitoring the emission of short-lived radioactive compounds generated by cyclotrons in the Clinical Center’s Positron Emission Tomography (PET) Department. The monitoring is necessary to ensure that emissions comply with and do not exceed regulatory limits.
The CERMS consists of 4 monitoring stations, which monitor 4 independent exhaust ducts (located in Building 10) that emit short-lived radioactive compounds into the atmosphere. Three of the monitoring stations are Thermo Eberline PET Stack Monitors and the fourth is an Apantec PING (Particle, Iodine & Noble Gas) monitor.
Thermo Eberline and Apantec provide a graphical user interface that allows users to generate reports collect, view and analyze trends and configure alarms.
The CERMS will have an internal interconnection with the Portal Monitor 12 (PM12) monitoring system. The PM12 system is responsible for monitoring the radioactivity present on people.
13. Indicate if the system is new or an existing one being modified: New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A. The CERMS does not store, transfer or otherwise disseminate PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) CERMS collects data from the effluent of short-lived radioactive materials being emitted through exhaust ducts; 2) CERMS collects the data for the purpose of monitoring the level of radiation present in the exhaust effluent. The purpose of collecting the data is to ensure the radioactive exhaust effluent is within regulated limits; 3) and 4) CERMS does not collect, maintain or otherwise store PII or personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A. The CERMS does not store, transfer or otherwise disseminate PII.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A. The CERMS does not store, transfer or otherwise disseminate PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 5/15/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Lab Safety Training System
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3314-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0166
5. OMB Information Collection Approval Number: TBD
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Lab Safety Training System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Deborah E. Wilson/Herb Jacobi
10. Provide an overview of the system: The Division of Occupational Health and Safety (DOHS) training database tracks registration for safety training in-person classes entitled "Laboratory Safety at the NIH," "Working Safely with HIV and Other Bloodborne Pathogens for Non-Hospital Personnel," “Biological Safety Level 3 Training,” “Biological Safety Level 3 (Hands-On) Training” and “Shipping Biological Materials Training.” Additionally the site allows users to access and take the following on-line classes: "Introduction to Laboratory Safety," "Laboratory Safety Annual Refresher Training," and "Bloodborne Pathogens Annual Refresher Training."

Scores are maintained in relationship to the in-person classes. Completion status is maintained for on-line training programs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Yes, Supervisors request information regarding training received by subordinates.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The Division of Occupational Health and Safety (DOHS) training database tracks registration for safety training in-person classes entitled "Laboratory Safety at the NIH" and "Working Safely with HIV and Other Bloodborne Pathogens". Additionally the site allows users to access and take the following on-line classes: "Introduction to Laboratory Safety," "Laboratory Safety Annual Refresher Training," and "Bloodborne Pathogens Annual Refresher Training."

Scores are maintained in relationship to the in-person classes. Completion status is maintained for on-line training programs.

Agency may use info in accident or injury investigations, accreditation purposes; and in compliance activities. Mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) None. Unique purpose.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: limited access
Technical: password protected and limited user authorization; ITB security protocols
Physical: Database is hosted on a separate machine from the website, secured via a firewall from outside access. The web and database servers are hosted at a datacenter with cameras, ID cards, and entry/egress logs.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS MAXIMO
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3305-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: no
6. Other Identifying Number(s): no
7. System Name (Align with system Item name): Maximo
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Deng
10. Provide an overview of the system: The MAXIMO system tracks work orders, equipment information, stock room items, purchase/rental equipment and billing information.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The systems collects contact information for individuals that requests a work order(s). We collect only the requesters name, phone, building, room and email address. All are public information and the information is used only to identify the requester; the technician needs the information to locate the customer and the equipment. The name and office phone number are mandatory.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/27/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS NIH Foreign National Information System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 6/11/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3341-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0140
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): NIH ORS NIH Foreign National Information System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Candelario Zapata
10. Provide an overview of the system: The NIH Foreign National Information System (NFNIS) will be a central storage database hosting NIH Foreign National immigration status information. The NFNIS will store Personally Identifiable Information (full name, home address, and telephone numbers) of all NIH Foreign Nationals working at NIH institutes and centers, and although foreign nationals are not subject to Privacy Act requirements, the system also stores emergency contact and dependent information which could entail PII for US Citizens. The NFNIS supports the mission of the Division of International Services (DIS) by ensuring that the NIH maintains compliance with all applicable U.S. immigration laws governing and/or regulating their stay in the United States set forth by the U.S. Department of Homeland Security (DHS), the U.S. Department of State, the U.S. Department of Labor, and other government agencies pertaining to the foreign researchers, scholars, and staff. The NFNIS helps meet these reporting requirements for international student/scholar by helping track, manage and report international scholars to the various government agencies. Using the NFNIS ensures that DIS can maintain Student and Exchange Visitor Information System (SEVIS) compliance, while increasing overall productivity in its other areas of responsibility.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NFNIS will store Personally Identifiable Information (full name, home address, and telephone numbers) of all NIH Foreign Nationals working at NIH institutes and centers, and although foreign nationals are not subject to Privacy Act requirements, the system also stores emergency contact and dependent information which could entail PII for US Citizens. Additionally, this information system may store PII for foreign nationals that apply for and receive US citizenship. NFNIS provides manual uploads of the data base to the U.S. Department of Homeland Security (DHS), Customs and Boarder Protection (CBP) Student and Exchange Visitor Information System (SEVIS) to meet U.S. immigration law reporting requirements.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information that agencies collect is primarily related to foreign nationals. Information collected contains PII and submission is mandatory. This information is necessary to document the individual’s presence at the NIH, to record immigration history of the individual in order to verify continued eligibility in NIH research programs, and to meet requirements in the code of Federal Regulations (8 CFR, Aliens and Nationality, and 22 CFR, Foreign Relations) and other applicable immigration laws, including Public Law 107-173, Enhanced Border Security and Visa Entry Reform Act of 2002 and Public Law 107-56, USA PATRIOT ACT.

Information Collected includes the following:
Name
Date of Birth
Social Security Number
Personal Mailing Address
Personal Phone Number
Personal Email Address
Education Records
Employement Status
NIH Immigration History
Office Case Number
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) IIF is collected by the NIH administrative or personnel offices. The IIF collected only pertains to foreign nationals. That information is then sent to the DIS to request immigration assistance. Based on the IIF collected by the IC, the DIS issues the appropriate immigration document and sends it to the individual foreign scientist. The immigration document itself contains notification and consent information. By signing and/or using the immigration document, the foreign scientist automatically consents by using the immigration document to enter the U.S. Different federal agencies (including the Department of Homeland Security and Department of State) issue Federal Register notices when major changes to data collection occur, such as with the USA PATRIOT ACT (Public Law 107-56).
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The application is protected through the use of security controls implemented by CIT, ORS and the Application Hosting Environment (AHE). These controls include intrusion detection systems as well as firewalls. The application is also hosted by ORS which helps to secure the information being stored in the AHE who handles all physical controls of the information system. The NFNIS System Security Plan documents all administrative, technical, and physical security controls that are inplace to protect the PII.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 6/7/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Parking and Transhare System (PARTS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3328-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): SOR# 09-25-0167
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Parking and Transhare System(PARTS)
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Thomas Hayden
10. Provide an overview of the system: PARTS is the system that manages enrollment in NIH Transportation programs, including the parking enrollment system and the public transportation subsidy distribution system.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares information with individuals within the Division of Amenities and Transportation Services, Division of Police, and the Division of Employee Services for the purpose of providing transportation services to NIH. Per SOR #09-25-0167,
Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected.
NIH may disclose applicant's name, unique computer identification number, NIH TRANSHARE commuter card number, and type of participant's fare media to be disbursed to cashiers of the Recreation and Welfare Association of the National Institutes of Health, Inc. (R&W Association) who are responsible for distribution of fare media. Cashiers are required to maintain Privacy Act safeguards with respect to such records.
Disclosure may be made to organizations deemed qualified by the Secretary to carry out quality assessments or utilization review.
NIH may disclose statistical reports containing information from this system of records to city, county, State, and Federal Government
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system shares information with individuals within the Division Amenities and Transportation Services, Division of Police, and the Division of Employee Services for the purpose of providing transportation services to NIH. PARTS collects, maintains, or disseminates the following information: name, NIH identifier, and work location information (from the NIH Directory); and vehicle, parking permit, facial image, and commuting information. The information contains the NIH UID (identifier) from the NIH Enterprise Directory (NED). Personal NED and vehicle information is mandatory if Transportation privileges are requested by the individual.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) There currently are none.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals with job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

Back to top

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Physical Intrusion Detection System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? Yes
If this is an existing PIA, please provide a reason for revision: Not Applicable 
1. Date of this Submission: 4/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number:
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH ORS Physical Intrusion Detection System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Louis Klepitch (301) 402-6397
10. Provide an overview of the system: The Physical Intrusion Detection System (PIDS) provides covert intrusion detection and duress alarming through panels installed at variations locations, including high security facilities, money and pharmaceutical handling areas, document storage areas and irradiators. PIDS alarms are transmitted to a Bosch Security Systems head-end receiver located in the NIH Emergency Communication Center (ECC). The PIDS is maintained, through a maintenance contract, by ASG. All PIDS panels reside on the Facilities Network (FACnet). One panel, responsible for monitoring the 5RC irradiator, also has telephone alarm capability.

PIDS has an internal interconnection with the Radiation Monitoring System (RMS). Certain RMS alarms are pushed to the PIDS via the FACnet by way of a hard wired connection.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): PIDS does not collect, maintain or otherwise disseminate Personally Identifiable Information.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: 1) PIDS collects alarm data (time, location, zone) generated and transmitted by the Bosch Security Panels located throughout the NIH Betheda campus, Rockville (Twinbrook II and Research Court) and Baltimore (Boimedical Research Center); 2) PIDS collects the information to allow for dispatchers to quickly initiate a response to the alarm from a central location; 3) and 4) PIDS does not collect, maintain or otherwie store PII or personal information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PIDS does not collect, maintain or otherwise disseminate Personally Identifiable Information.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: 
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: PIDS does not collect, maintain or otherwise disseminate Personally Identifiable Information.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 7/3/2012
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Point of Sale System (POS)
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/12/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3323-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Point of Sale System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Crawford
10. Provide an overview of the system: The POS system provides the functionality for maintaining records of cashier functions and cafeteria purchases. The system handles cash exchanges, but does not deal with any credit card transactions.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not deal with any IIF
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The agency processes purchase information to complete the sale of items on the NIH campus. The Division of Employee Services will view individual transactions made in the retail and food service operations not transactions by individuals. There is no specific personal data on individuals that will be collected. These transactions are simple cash/credit card transactions handled at typical retail and food service operations. Howeve the credit card portion is done externally to this system. The quantitative measure of these transactions will be used for analysis and gathering of trends to better give us a snap shot of what our customers are purchasing, how much is being purchased, and what services we can provide to maximize customer satisfaction. Submission of personal information by customers is not required to gather transaction data.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) None; since we are only using this as an automated cash register system. There would be no circumstances where personal information about anyone would be required for use of the system and to make transactions on the system. No individual would have to consent to provide personal data. The data that would be collected would be financial transactions and are not tied to any one individual.
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.
Administration of this system is currently be researched by ORS IT to relocate server to building 13 under the umbrella of the ORS server team. System access is password protected and can only be accessed via specific passwords. Once again the server does not store any personal data on individuals and only certain individuals will have access to the server.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Radiation Safety Comprehensive Database [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation 
1. Date of this Submission: 8/15/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3314-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-25-0166
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): No
7. System Name (Align with system Item name): Radiation Safety Comprehensive Database
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bob Zoon
10. Provide an overview of the system: The Radiation Safety Comprehensive Database System (RSCDS) supports the NIH Radiation Safety Program and its information and record keeping needs. As a multiple licensee of the U.S. Nuclear Regulatory Commission, the NIH Program is required to maintain extensive detailed records on the use of licensed radioactive materials and on the training, performance and radiation exposure of employees, as well as radiation exposure of research patients, visitors and the public. The RSCDS is an essential tool for efficiently facilitating these information collection, storage and retrieval needs.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 
23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Per SOR# 09-25-0166, Routine uses of Record:
Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.
Disclosure may be made to the Department of Justice or to a court or other tribunal from this system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States of any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected.
Disclosure may be made to contractors for the purpose of processing or refining the records. Contracted services may include monitoring, testing, sampling, surveying, evaluating, transcription, collation, computer input, and other records processing. The contractor shall be required to maintain Privacy Act safeguards with respect to such records.
Disclosure may be made to: a) officials of the United States Nuclear Regulatory Commission which, by Federal regulation, licenses, inspects and enforces the regulations governing the use of radioactive materials; and b) OSHA, which provides oversight to ensure that safe and healthful work conditions are maintained for employees. Disclosure will also be permitted to other Federal and/or State agencies which may establish health and safety requirements or standards.
Radiation exposure and/or training and experience history may be transferred to new employer.
A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.
from the congressional office made at the request of that individual.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The Radiation Safety Database System tracks exposure badges, compliance surveys, radioactive isotopes, radiation sources, radioactive waste disposal, and radioactive waste discharges (WSSC). In addition the Radiation Safety System tracks the location of radioactive materials and the personnel who are permitted to work with those materials. Personal information collected are Name, NIH Employee ID number, Date of Birth, SSN, work location(s), work mailing address, IC affiliation, work phone number and work email address.

This information is collected for employees, researchers, contractors and any other appointment types that could use or have exposure to radioactive materials. This information is mandatory to operate a Radiation Safety Program which is in compliance with U.S. Nuclear Regulatory Commission licenses, regulations and the regulations of the Occupational Safety and Health Administration, DOL and to protect the health and safety of NIH personnel, patients, visitors and the general public.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) None
32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Database server is kept in secured video monitored room in a secured building. Database network-wise is kept behind 3 firewalls (NIH firewall, Building 21 firewall and database firewall) . Access to data in the database is through database accounts which are password protected. Depending on the type of IIF and users job duties users are given database roles to manage access. Only DBA and Developers are given direct access to database from designated clients in the network. Data transmitted between clients and database is encrypted using FIPS –level 2 standards. PI data is encrypted using Oracle’s Advance Security Transparent Data Encryption.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Karen Cook 301-594-4727
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2011
Approved for Web Publishing: Yes
Date Published: 9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Radiological Monitoring System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  Not Applicable 
1. Date of this Submission:  5/11/2012
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  NIH ORS Radiological Monitoring System [System]
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Cathy Ribaudo
10. Provide an overview of the system:  Irradiator room remote monitoring system
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  (i) The agency collects Irradiator information to provide 24/7 monitoring of all irradiator rooms at NIH, including real-time measurements of radiation levels, camera views, and alarm logs.

(ii) The data is collected to automate tasks within the Division, including real-time measurements of radiation levels.  Information will be used to generate reports.

(iii) The system does not collect, maintain or disseminate PII information.

(iv) N/A
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook 301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  6/11/2012
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS ScheduAll
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/15/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-02-3334-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  #09-25-0106
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  No
7. System Name (Align with system Item name):  ScheduALL
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Shauna Everett
10. Provide an overview of the system:  Resource scheduling and business management software designed to handle the conference services, multimedia services, and medical arts services needs of the NIH/ORS/Division of Medical Arts.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Information is not shared outside the Division of Medical Arts (DMA).  Reference SOR #09-25-0106. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0106, published in the Federal Register, Volume 67, No. 187, September 26, 2002
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  This system records contact information for those individuals that request services managed by DMA.  The IIF information will be used to reserve services and for correspondence to confirm bookings.  The limited IIF that is captured is mandatory for booking and reservation services.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  There are none
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, guards and police protect the NIH campus; in addition, the server itself is behind a locked door.  Administratively procedures are in place to only allow individuals job related necessity to access IIF.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook 301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Send Word Now
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/15/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-02-3352-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0216
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Send Word Now
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  James Stringfellow
10. Provide an overview of the system:  Send Word Now is a two-way messaging system used to notify various contact points during an emergency or event, it is web based/ hosted with the master account maintained  by DEPC.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  This is a system that will be utilized by the NIH and not by our division alone.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  First, last name, Building, IC, Room, Gov’t and personal Mobile, land, blackberry devices, email, SMS, pager, and all personal information is voluntarily given. Gov’t information (email, telephone) will automatically be passed to system from NED.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Individual ICs who utilize this system are responsible to notify and obtain consent from individuals when changes occur.  The ICs are notified when changes do occur to the system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The Send Word Now service is architected, designed, and implemented to be highly secure. Send Word Now utilizes a “defense in depth” strategy that provides, where feasible, multiple levels of defense. All traffic to and from the Web interfaces to the SWN Application is encrypted using 128-bit SSL encryption. Additionally, the redundant Cisco firewalls block all but the necessary categories of traffic entering a service complex. These firewalls also provide basic intrusion detection, cutting off suspicious traffic and providing real-time alerts to SWN service Operations personnel. As discussed in Q49, role-based access to sensitive data is provided only-as-needed to the appropriate employees.

Send Word Now SWN’s service complexes provide extensive physical security. Onsite security guards are present 24/7, supplementing both indoor and outdoor security monitoring. Access to a facility requires a Hosting Facility photo ID badge and inclusion on the list of authorized personnel for that facility. Biometric hand scans and pulse detection are required for entry to a facility; they limit hosting customers from moving from one co-location area to another within the facility. Hosting customers are escorted to their areas. Closed circuit cameras monitor and record every area within the facilities. Customer equipment resides in locked cages and/or locked cabinets. The hosting provider keeps all keys to cages and cabinets; customers do not have copies of the keys. As a result, only SWN personnel have either physical or logical access to Send Word Now resources.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook 301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Sentinel Patriot [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   Yes
If this is an existing PIA, please provide a reason for revision:  
1. Date of this Submission:  8/4/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  Not applicable
5. OMB Information Collection Approval Number:  Not applicable
6. Other Identifying Number(s):  Not applicable
7. System Name (Align with system Item name):  NIH  CIT Sentinel Patriot System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Renita Anderson
10. Provide an overview of the system:  Sentinel Patriot is a Windows based intelligent telephone console designed to provide expanded functionality necessary in critical call processing environments. Sentinel Patriot presents an enhanced user interface to the call taker by: automating key functions, coordinating the delivery of information crucial to first responders and by broadening the range of communications.

Sentinel Patriot utilizes the First Party Call Control method of Computer Telephony Integration (CTI) to integrate the console application to the soft IP PBX in the Patriot Telephony Server (PTS). Patriot receives and transmits signaling data along with the voice path via an IP connection terminating to the Patriot Communication Server (PCS) and to the PTS via one or both of the managed 24 port switches installed in the Patriot cabinet. This data includes the calling party number in the form of Automatic Number Identification (ANI) or Calling Line Identification (CLID) and feature interaction signals between Patriot and the soft PBX installed in the PTS.
13. Indicate if the system is new or an existing one being modified:  New
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  There is no PII.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  1.    The information that the system collects is record data that stores telephone numbers and building locations used by NIH Staff to include both Federal and Contract Personnel.  It only represents Federal contact data.
2.    This data is used by the NIH Police Department in response to 911 Emergency Situations in which a staff member contacts the Emergency Communications Center.
3.    The system does not contain any PII information on specific individuals.
The only information provided by an individual is the details of their emergency situation prior to first responders rendering emergency assistance.  Information provided is voluntary.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - There is no PII.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  There is no PII.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Michele Mulholand France, NIH/CIT/PECO
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  8/24/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Troux
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/15/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-02-3358-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  N/A
5. OMB Information Collection Approval Number:  N/A
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  ORS Troux
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Ricardo Rodriguez
10. Provide an overview of the system:  The ORS/F EA Troux System is used to provide Enterprise Architecture solutions.  It supports the modeling of the architectural components that represent individual elements of the ORS/F business; for example, goals, objects, service groups, applications, servers, databases, etc. that together describe the what, where and why of the ORS/F organizations.

The ORS/F EA System uses The Troux Technology (METIS) / The Troux Suite of Tools and Applications to provide EA Solutions, Business Intelligence, Visual Modeling, Metamodeling and data repository.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The ORS/F EA Troux System is intended to provide current, accurate, and reliable enterprise data in a single repository that will allow ORS and ORF stakeholders of varying interests to quickly obtain information about the business, providing answers to business questions, helping to guide business and technology decisions, and promoting the development, use and sharing of business and technical standards.

The ORS/F EA Troux System data includes:
Service Groups and Discrete Services descriptive information,
Goals, Objectives, Measures
Technology information about :
o                   Applications, Software, Servers, Databases,
o                   Projects, Vendor Companies and Federal Points of Contacts using Federal Contact Data Only 
Relationships among technical and business components
Employee name or business contact information including mailing address and email address may be displayed to ORS managers to identify points of contacts for particular systems, applications, or projects as part of our Enterprise Architecture reporting
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  N/A - There is no PII in the system.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  No 
37. Does the website have any information or pages directed at children under the age of thirteen?:  
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): 
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  N/A
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook 301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS Visitor Badging System [System]
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  Commercial Sources 
1. Date of this Submission:  8/15/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-02-3354-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  09-25-0054
5. OMB Information Collection Approval Number:  n/a
6. Other Identifying Number(s):  N/A
7. System Name (Align with system Item name):  Visitor Badging System
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Major Patricia Haynes
10. Provide an overview of the system:  The Visitor Badging System application acts as a badge issuance system for visitors to the NIH Bethesda campus.  When a visitor arrives on campus, their IDs are scanned into the system as an image file; the image along with other Information in Identifiable Form (IIF) are stored in a back-end Oracle database; identity of the individual is validated through a photo on ID; name and photo of the visitor is checked against a "Do Not Admit/No Entry" list; once approved, the visitor is issued a temporary badge.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  Yes 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual. 
In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto 
In the event of litigation where the defendant is (a) the Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Justice Department has agreed to represent such employee, the Department may disclose such records as it deems desirable or necessary to the Department of Justice to enable that Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The system collects information that is stored on a normal form of identification.  That could include Name, address, place of birth, birthdate, passport number, license number, photo identification, as well as other identification type info.  Collection of personal information is mandatory based on NIH ORS SER DP Policy and Procedures.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  Write to the System Manager to determine if a record exists. The requester must also verify his or her identity by providing either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine. The system records visitors to the NIH; there is no mechanism in place to notify these people when a major upgrade to the system occurs; in this case, due to the purpose of this application, it should be exempt from the aforementioned requirement; individuals are providing the IIF, at the time of visitor registration - therefore, they do not need to be informed as to the information that is being collected.
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  Yes
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  The system is located on a separate VLAN of a secure NIH network.  The network is protected by firewall and IDS devices.  Only authorized individuals are allowed access to the system both physically and remotely.
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook 301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

 

06.3 HHS PIA Summary for Posting (Form) / NIH ORS WSS - Sharepoint
PIA SUMMARY AND APPROVAL COMBINED 
PIA Summary 
Is this a new PIA 2011?   No
If this is an existing PIA, please provide a reason for revision:  PIA Validation 
1. Date of this Submission:  8/12/2011
2. OPDIV Name:  NIH
3. Unique Project Identifier (UPI) Number:  009-25-01-06-02-3358-00
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):  No
5. OMB Information Collection Approval Number:  No
6. Other Identifying Number(s):  no
7. System Name (Align with system Item name):  Sharepoint 2007
9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:  Christine Winchester
10. Provide an overview of the system:  The WSS SharePoint system acts as a data repository and collaboration tool for ORS staff.  It's primary use is to create working areas where teams/business owners can share documents amongst the team members.  Individual SharePoint sites are managed by a member of the team/business owner for whom the site was created.  The information that is placed in the SharePoint site is to the discretion of team/business owner.
13. Indicate if the system is new or an existing one being modified:  Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?  (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):  No 
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4):  No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):  No
30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory:  The agency does not collect any information through the use of this system.  The Sharepoint application is used as a work area/tool for teams. No PII is requested to be submitted.  Any information placed within the Sharepoint system is done so by the individuals using the system.  The agency does not review this information.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. 
(Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])  PII is not contained in this system therefor it is not applicable to "notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system" or "notify and obtain consent from individuals regarding what PII is being collected from them and how the information will be used or shared."
32. Does the system host a website? (Note:  If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII):  Yes 
37. Does the website have any information or pages directed at children under the age of thirteen?:  No
50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):  No
54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:  None
PIA Approval
PIA Reviewer Approval:  Promote
PIA Reviewer Name:  Karen Cook   301-594-4727
Sr. Official for Privacy Approval:  Promote
Sr. Official for Privacy Name:  Karen Plá
Sign-off Date:  9/28/2011
Approved for Web Publishing:  Yes
Date Published:  9/10/2012
_____________________________________________________________________________

Back to top