U.S. Department of Health & Human Services |
|
Improving the health, safety, and well-being of America |
Font Size
Print
Download Reader
HHS Home|HHS News|About HHS
Office of the Secretary Privacy Impact Assessments06.3 HHS PIA Summary for Posting (Form) / OS ASAM Access Control Tracking System (Security) PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: 1. Date of this Submission: Aug 19, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: None 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): None 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): OS ASAM Access Control Tracking System - Security 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jack Stoute 10. Provide an overview of the system: The OS ASAM Access Control Tracking System - Security (ACTS-Security) automates, streamlines, and standardizes the entry, modification, and exit clearance process for employees and contractors entering or exiting on-site employment at the Program Support Center (PSC). 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The ACTS-Security clearance system discloses IIF only to PSC officials with a need to know. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The ACTS-Security clearance system contains Personnel Management Information as defined in NIST SP 800-60. This includes PSC employee and contractor names, work addresses, work e-mail addresses, work phone numbers, and work cell phone numbers. Submission is voluntary. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) none needed 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: Not Applicable 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: ACTS-Security utilizes administrative, technical, and physical security controls to minimize the risk of a breach of IIF. If a security incident does occur, it will be immediately reported to the PSC CISO and through her, to the HHS PII Breach Response Team. They will analyze the incident, determine its impact, limit its damage, and restore normal processing. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 21, 2009 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Accounting for Pay System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jun 10, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-01-01-1013-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Accounting For Pay System (AFPS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Vincent Watson / John Biggie 10. Provide an overview of the system: Automated interface between the Department's central payroll and the HHS agencies for payroll cost distribution. Provides a systematic interface of payroll accounting information necessary to account for disbursements, expenditures, obligations and accurals for personnel costs. Legislation: Chief Financial Officers Act of 1990. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is shared with the agencies accounting, budget and administrative offices. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The agencies receive payroll expenditures and use this data for financial reporting and tracking their budgets (payroll costs). The data transmitted meets the standard that was established by the Department for capturing payroll costs. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information recieved is from HHS payroll systems (Civilian and Commisioned Corps) and is processed to properly account for payroll costs. Agencies are aware of incoming files via a scheduled processing calendar. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical and Physical controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. Also, the system is part of the yearly SAS-70 (Statement on Auditing Standards No. 70) audit which tests the adequacy and effectiveness of the opperating controls. Specific protection for PII include: 1- Electronic data is password protected 2- Access to electronic data is role-based 3- Documents are locked in file cabinet accessible only to mgt and admin assts PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 8, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM ACF General Support System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Sep 8, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): ACF GSS 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Scott Funk 10. Provide an overview of the system: The ACF GSS is a local area network supporting the operations of the HHS/ACF. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 8, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM AHRQ Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Sep 10, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): AHRQ General Support System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Scott Funk 10. Provide an overview of the system: AHRQ GSS is a LAN supporting the operations of the HHS/AHRQ. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 10, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM AoA General Support System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Sep 10, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): AoA General Support System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Scott Funk 10. Provide an overview of the system: The AoA GSS is a lan supporting operations of the HHS/AoA. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 10, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Biometrics Enrollment System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Sep 10, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-02-0030-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-40-0013 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): Biometric Enrollment System (BES) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Calabrese 10. Provide an overview of the system: To store, manage, and maintain information related to the enrollment and employment of federal and contractor applicants as well as the issuance and maintenance of PIV credentials to authorized personnel; this includes the process of identity verification and the authorization to access federal space and information systems. BES is used to collect fingerprints, photo and other identification which is sent to OPM for background investigation and to allow issuance of badges within HHS and other federal agencies. Homeland Security Presidential Directive 12 (HSPD-12), issued on August 27, 2004, required the establishment of a standard for identification of Federal Government employees and contractors. HSPD-12 directs the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires that the Federal credential be secure and reliable. The National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification, Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. The credential is for physical and logical access. FIPS 201 has two parts: PIV I and PIV II. The requirements in PIV I support the control objectives and security requirements described in FIPS 201, including the standard background investigation required for all Federal employees and long-term contractors. The standards in PIV II support the technical interoperability requirements described in HSPD-12. PIV II specifies standards for implementing identity credentials on integrated circuit cards (i.e., smart cards) for use in a Federal system. Simply stated, FIPS 201 requires agencies to: • Establish roles to facilitate identity proofing, information capture and storage, and card issuance and maintenance. • Develop and implement a physical security and information security infrastructure to support these new credentials. • Establish processes to support the implementation of a PIV program. In response to HSPD-12 and to meet the requirements summarized above, PSC’s Security Services Branch is responsible for the management and security of all PII information it collects during the HSPD-12 applicant enrollment and card issuance process; including serving as the main internal and external point of contact with respect to program planning, operations, business management, communications and technical strategy. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is disclosed to OPM for performing background investigations for Federal Employees and Contractors as described by HSPD-12 and FIPS-201. IIF may be disclosed to the enrollee upon request. IIF may be disclosed to law enforcement officials when HHS becomes aware of evidence of a violation of civil or criminal law. IIF may be disclosed to congressional offices in response to a verified inquiry made at the written request of the individual. IIF may be disclosed to the Department of Justice, court or other tribunal when it has been deemed necessary and relevant to litigation. IIF may be disclosed to officials of labor organizations when relevant and necessary to their duties of exclusive representation. IIF may be disclosed to organizations approved by the Secretary for performing quality assessments, audits or utilization review. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: IIF includes fingerprints, photo, scanned documents, etc. to perform ID checks. The submission is mandatory to allow access to HHS facilities, sensitive data and IT systems. The information is used to issue identification badges and perform background investigations for Federal Employees and Contractors as described by HSPD-12 and FIPS-201 supported by the PSC for Parklawn Bldg. complex and other HHS facilities. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Authorization of Release of Information form. Part ofStandard Form 85, Standard Form 85P and Standard Form 86. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administration – Administrative controls of this system are provided by the SSB. – Training for users and administrators. – Confidentiality agreements for contractor access. – Separation of duties and least privilege access and accountability. – Processes are in place to monitor and respond to privacy and security incidents. Technical – Firewalls and Intrusion detection systems protect the boundaries of the HHS network on which this system operates. – Encryption is enabled on mobile/portable systems – Passwords are used to control workstation and server access. Passwords are also used to control encryption and application access. – VPNs are used to encrypt data transfers. Physical - Workstations remain in the custody of authorized personnel while on-site and when transported. - Workstations are covered by HHS physical controls, including guards, CCTV and ID badges, in the Parklawn Building and at all regional offices. - Servers are maintained at the GTC and will not be removed. - Servers are protected by the physical controls of the GTC. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 10, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Debt Management and Collection System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 9, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-01-01-1011-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-40-0012 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Debt Management and Collection System (DMCS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bruce SoutherLand 10. Provide an overview of the system: Automated system that provides comprehensive processing of a variety of unique debt management receivable and loan programs. This data base is a feeder system to the official Program Support Center’s accounting system of record – the Unified Financial Management System (UFMS). Legislation: Debt Collection Improvement Act of 1996 & HHS Claims Collection Regulation 45CFR Part 30. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is shared with credit reporting agencies, collection agencies, the Department of the Treasury and the Department of Justice as part of the debt collection process.Credit reporting agencies - Credit reporting Collection agencies - debt collection Treasury TOP - Debt collection referrals Department of Justice - litigation IRS - Write offs and interest paid 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information is not normally collected from the public. The information is primarily collected from the referring agency program offices as a result of defaulted loans, scholarships; separated employee debts; repatriation debts; Medicare Overpay and Medicare Secondary Payor debts; Grant and Program disallowance debts; Inspection debts; IHS medical debts, etc. The information is used to record and collect the receivables owed the Government by the public. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is obtained from the agency program offices as a result of defaulted scholarships, loans, etc. and other sources throughout the due diligence process (e.g., collection agency, credit reporting agency, Department of Justice, etc.) No notice is given to individuals for consent, etc. Through demand letters in the due diligence process, individuals are given the opportunity to pay their debt to the Government before information is forwarded to collection agencies, credit reporting bureaus, etc. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical and physical controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. Also, the system is part of the yearly SAS-70 (Statement on Auditing Standards No. 70) audit which tests the adequacy and effectiveness of the operating controls. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 10, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Defense Contract Management Agency PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-09-02-1031-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0004 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): DCMA 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathy Morring, Capt. USPHS; Kim Frasher, DCMA Project Manager 10. Provide an overview of the system: HHS values and benefits from a workforce that is physically well, they support the efforts of DCMA in achieving this goal. DCMA assists employees and employers to resolve medical problems that may adversely impact their work performance, conduct, health and well-being by tracking the subject’s repetitive exposure to items that could be detrimental to the subject’s health. In order to achieve these objectives, of tracking these exposures, the DCMA case management and reporting system was developed. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Medical officers use for review of medical data. DCMA assists employees and employers to resolve medical problems. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Patient demographic data to include name, DOB, SSN or unique ID, height, weight and other basic medical information. The demographic information is used to track the individual in the database. The medical information is used for Health Surveillance. The demographic data contains IIF (name, SSN, DOB, physical chaacteristics. If employees do not want to provide information needed to establish a medical record, then this information is forwarded to the Agency. The Agency policies will dictate what process is followed for doing the exam (regulatory, agency mandated, voluntary surveillance, etc.). Patients log information from physicals, basic data, physical reports, genetic issues, illnesses and remediation plans go directly to the supervisor. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All employees are required to read the FOH privacy statement when they have their exam in the OHC and are asked to sign an authorization for disclosure which describes what information will be disclosed outside of FOH. All employees are asked to sign a release of information form before information and any identifieable information is transferred or released from DCMA. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Management, operational, and technical controls commensurate with the level of sensitivity for the system, including: - Electronic data is encrypted during transmission.- Electronic data is password protected- Access to electronic data is role-based- Access to electronic data is based on “least privilege”- Access to electronic data is limited by number of attempts, session lock, session termination- Documents are stored in locked file cabinets / offices.- Documents are shredded (Medical Records are archived) when no longer needed- The application servers are isolated from the rest of the FOH network by PIX firewalls, which control access to the application data. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Departmental Contract Information System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0002-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Departmental Contracts Information System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Fred Evans 10. Provide an overview of the system: The DCIS mission is to provide the data collection and reporting capabilities needed to enable HHS to comply with the reporting requirements mandated by Public Law 93-400 for the reporting of procurement actions. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: DCIS provides a single system capability within HHS that collects, edits and stores information on individual procurement and contracting actions executed by the Operating Divisions (OPDIVs) and other HHS offices. No IIF information is collected. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Division of Payment Management Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-01-01-1010-00-402-124 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): DPM LAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matt Zaklielarz 10. Provide an overview of the system: The DPM LAN provides local connectivity for the DPM office. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: No 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A -- a GSS PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Elite Series System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1050-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): EliteSeries System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Grubb 10. Provide an overview of the system: Provides cradle-to-grave management of the Supply Services Center's inventory and customers orders. It is made up of several modules wich are function-specific: Accounts Recievable, Accounts Payable, Inventory Management, Order Management, Purchasing, Production, Warehouse Management. The EliliteSeries Sytem is an off-the-shelf Software product licenesed by the SSC, and installed with no modifications. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: EliteSeries System does not collect PII information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is contained in the system PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Employee Assistance Program Information System (FOH) PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: Significant System Management Changes 1. Date of this Submission: Sep 18, 2003 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1021-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0010 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): DOCID:fr07mr97-105 7. System Name (Align with system Item name): Web Employee Assistance Program Information System (Web EAP) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Fisher 10. Provide an overview of the system: Web component deactivated - Systems Name is now EAPIS -jsb 9/18/2008 Formerly called EAPIS Manage EAP clinician activity. This system contains a written or electronic record on each EAP client. These records typically contain demographic data such as client name, date of birth, grade, job title, home address, telephone numbers, and supervisor's name and telephone number. The system includes records of services provided by HHS staff and services provided by contractors. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is not shared (except as required by law) with anyone outside of HHS. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information contained in each record is a documentation of the nature and extent of the client's problem(s). When the intervention plan includes referral(s) to the treatment or other facilities outside the EAP, the record also documents this referral information. The information contained in each record is also used for monitoring the client's progress in resolving the problems(s). Anonymous information from each record is also used to prepare statistical reports and conduct research that helps with program management. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information in this system of records is: (1) Supplied directly by the individual using the program, or (2) supplied by a member of the employee's family, or (3) derived from information supplied by the employee, or (4) supplied by sources to/from whom the individual has been referred for assistance, or (5) supplied by Department officials (including drug testing officers), or (6) supplied by EAP counselors, or (7) supplied by other sources involved with the case. Clients of the EAP will be informed in writing of the confidentiality provisions. Secondary disclosure of information, which was released, is prohibited without client consent. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information in the system is protected by management, operational, and technical security controls commensurate with the level of sensitivity of the system. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Enterprise E-Mail System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-01-0009-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Enterprise E-Mail System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Calabrese 10. Provide an overview of the system: EES is also known as the "HHSMail" system 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Enterprise Human Resources and Personnel PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-01-1100-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Electronic Human Resources and Payroll (EHRP) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol Arbogast 10. Provide an overview of the system: A system for collecting, tracking, routing and maintaining information relating to personnel actions and determinations made about an employee whil employed at HHS. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Human Resource personnel, supervisors, and employees. OPM Reporting, and Internal Agencies Reporting 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Personnel and payroll information required by personnel management specialists and managers in order to process and properly execute agency personnel actions. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is collected from individuals. Consent is granted as part of the employee induction process. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following administrative, technical, and physical controls are in place for EHRP:Administrative ControlsSystem security plan Contingency (or backup) plan File backup Backup files stored offsite User manualsSecurity Awareness TrainingContractor AgreementsLeast Privilege AccessIIF PoliciesTechnical ControlsUser Identification and PasswordsFirewallEncryptionIntrusion Detection System (IDS)Physical ControlsGuardsIdentification BadgesKey Cards PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Enterprise Network Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: May 5, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: - 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): OS Backbone LAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alan Smith 10. Provide an overview of the system: The OS Backbone LAN is the network supporting operations of the HHS/OS. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: - 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): - 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: May 11, 2009 Approved for Web Publishing: - Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM FOH Local Area Network/Wide Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Oct 2, 2006 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-02-00-02-1041-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): FOH LAN/WAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathy Mooring 10. Provide an overview of the system: The FOH LAN/WAN provides local connectivity for the FOH BTS office and wide area connectivity for the various FOH office locations 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: No 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A -- a GSS PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 12, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Government Transformation Center computer room PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Government Transformation Center (GTC) computer room 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Tyllas 10. Provide an overview of the system: The Government Transformation Center is a data center facility located in Unisys' Reston, VA complex which houses HHS Enterprise systems, HHS/OS OITO / ITSC GSSs and the HHS/OS OITO ITSC Network Operations Center. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This facility does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This facility does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This facility does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 14, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM GovNet-NG (Finance) PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-01-01-1010-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): GovNet-NG 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robin Hofmann 10. Provide an overview of the system: GovNet-NG is a secure on-line data and report repository which is accessible via the Intranet using standard web browsers. The accounting data archives from the CORE system will be accessible through CORE-like inquiries on transition to UFMS. The report repository will maintain the CORE reports, UFMS reports, and other source system reports, such as Payroll. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HHS employees specifically authorized 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: GovNet-NG will receive point-in-time reports, as well as, the CORE accounting transactions to support audits, research, and history of the financial activity. Data does contain IIF as it is provided from the other systems. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Data is not collected from the public. CORE accounting transactions will be a one-time data load at the conclusion of the conversion process from CORE to UFMS. The data will be transmitted via secure FTP. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following administrative, technical, and physical controls are in place for GovNet-NG: Administrative controls: - C&A completed - System Security Plan - Contingency Plan - System backups - Offsite storage - User manuals - Security Awareness Training - Least Privilege Access - IIF Policy Technical Controls: - User ID and Passwords - Firewall - VPN - Encryption - Intrusion Detection Physical Controls: - Guards - ID Badges - Key Cards PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM HHH computer room PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): HHH computer room 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alan Smith 10. Provide an overview of the system: The HHH computer room is a data center facility located in HHS's Hubert H. Humphrey building. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This facility does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This facility does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This facility does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This facility does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM HHS Consolidated Acquisition System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-01-0040-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): SORN is in its final clearance prior to publication in the Federal Register. 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): OS ASAM HHS Consolidated Acquisition System (HCAS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Fullem 10. Provide an overview of the system: To realize an enterprise solution for acquisition across the Department, HHS established the HCAS Project Management Office (PMO), within the office of the Assistant Secretary of Administration and Management (ASAM). The PMO will deliver a standardized global Purchase Request Information System (PRISM) for all operational contracting components within HHS that utilize Unified Financial Management System (UFMS) (referred to as HCAS clients). HHS will deploy HCAS to the following ten HCAS client contracting offices: AHRQ, ASPR, CDC, FDA, PSC Division of Acquisition Management, PSC Perry Point, PSC Cooperative Administrative Service Unit (Kansas City), HRSA, IHS, and SAMHSA. The mission of the HCAS PMO is to design, plan, configure, and implement HCAS as efficiently as possible, coordinating with other relevant HHS e-government and enterprise projects to maximize integration. Once implemented, HCAS will replace the varying PRISM configurations that currently exist across HHS in addition to replacing other legacy acquisition systems and manual processes, resulting in one solution for capturing HHS acquisition transactions for integration with UFMS.. In the long term, a consolidated PRISM facilitates and enables a single solution for integrating acquisition with financial management (one interface between HCAS and UFMS) and other mixed financial management systems. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The HCAS system itself collects information necessary to support a procurement relationship between HHS and the vendor community. There are limited instances where an individual’s information in identifiable form (IIF) will be collected in order to facilitate a transaction in HCAS. In addition to names of contracting who serve as HHS buyers, HCAS collects and maintains IIF for service fellows and sole proprietorships that provide vendor services as individuals. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Acquisition processes supported by HCAS include acquisition planning, solicitation, contract creation and approval, contract award and award closeout, and contract performance monitoring and management. To support these business processes, IIF contained in HCAS may include the following: vendor and contracting officer names, vendor mailing addresses, phone numbers, vendor financial account information, legal documents, web URLs, email addresses, vendor education records, and vendor tax ID numbers (TIN) or social security numbers. Social security numbers of vendors may be captured within HCAS under certain circumstances where a TIN is not available. In order for vendors to obtain the benefit of contracting with HHS, either a TIN or SSN is required. Provision of this information by the vendor is elective and again, is only used when a vendor TIN is not available. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) All notification for the use and protection of private information will be conveyed in writing during training and by electronic notice. By completing and signing a new user application, HCAS users will be aware of what IIF is being collected and how it will be used. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: In the C&A process, HCAS used NIST 800-53a security controls and established the required level of security measures, including end user IDs, passwords, group accounts, a certified facility, background screening on system administrators. Security controls will be reviewed annually, at a minimum. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 13, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM HHS Property Management Information System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-01-06-01-0021-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): OS ASAM HHS Property Management Information System (PMIS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jack Sweeney 10. Provide an overview of the system: PMIS is a Web-based application, running on an Oracle database and developed by Sunflower, Inc. The application is utilized for fixed asset accounting and is maintained by the Logistics Services Branch (LSB). PMIS is used for recording capitalized property to the general ledger of PSC. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system will not share or disclose IIF with other agencies within HHS, agencies external to HHS, or other people or organizations outside HHS. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: PMIS will collect asset, custodial, and location information to support fixed asset accounting and to record capitalized property to the general ledger of PSC. IIF information collected and stored includes names, phone numbers and email addresses of asset custodians. Submission of personal information is involuntary. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Notification and consent beyond the employees agreement that IIF information will be used for the performance and execution of their work respoonsibilities is not made. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF will be secured using password based identification and authentication policies and technology, network firewalls, virus scanning software, intrusion detection technology, physical secutiy controls and preventative social engeneering best practices. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM HHSNet PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): HHSNet 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alan Smith 10. Provide an overview of the system: HHSNet is the enterprise backbone network that supports the interconnection and Internet access requirement's of the various networks supporting the individual Departmental StaffDivs/OpDivs. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Integrated Time and Attendance System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1016-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Integrated Time and Attendance System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Vivian Truss 10. Provide an overview of the system: ITAS is a timekeeping by exception application that supports most aspects of tracking and reporting work hours and leave for federal employees. ITAS provides users with access to real-time leave balances and ensures that users accurately record work activity by enforcing time and attendance policies and procedures specific to the Federal Government. ITAS contains rules specific to data entered by Employees, Timekeepers, Approving Officials, Administrative Officers, and ITAS Administrators. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The ITAS data is secured-FTP over to our Mainframe system, hosted by the NIH/CIT Data Center where it is processed with other HHS OPDIVs time and attendance data. That data is then shared with the Department’s payroll provider Defense Finance and Accounting System. The purpose of sharing the information is to provide data to DFAS for payroll processing. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information entered into this data system becomes a part of the accelerated time and attendance data collected and documents daily time and attendance for employees. The primary use of the information is to prepare time and attendance transactions as input to DFAS payroll cycle to eventually compute pay checks. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Consent is obtained as part of the condition of employment. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Each ITAS user is assigned a User ID and password. User IDs and passwords are managed by the ITAS Coordinators or Timekeepers through a user profile program. Granting ITAS Coordinator privileges is done centrally by the ITAS administrator. The following administrative, technical, and physical controls are in place for ITAS: Administrative Controls System security plan Contingency (or backup) plan File backup Backup files stored offsite User manuals Security Awareness Training Contractor Agreements Least Privilege Access IIF Policies Technical Controls User Identification and Passwords Firewall Encryption Intrusion Detection System (IDS) Physical Controls Guards Identification Badges Key Cards PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Managing & Accounting Credit Card System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 5, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1200-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): Managing & Accounting Credit Card System (MACCS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matt Zakielarz 10. Provide an overview of the system: MACCS is a system designed to provide access to and account for credit card purchases. Using transaction data from the credit card processing center at the JP Morgan Chase, MACCS is a downstream process that provides a means for ensuring that each transaction is a valid transaction, reviewed by an authorized official, assigned to a proper budgetary fund, paid in a timely manner and transmitted for posting to the general ledger 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Internal HHS Financial Management Staff 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The MACCS system will process valid transaction reviewed by an authorized official, proper budgetary funds and transmitted for posting to the general ledger. System contains IIF information pertaining to credit card numbers and SSN's. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Use of the system by the individual addresses consent. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The following administrative, technical, and physical controls are in place for MACCS: Administrative Controls C&A Completed System security plan Contingency (or backup) plan File backup Backup files stored offsite User manuals Security Awareness Training Contractor Agreements Least Privilege Access IIF Policies Technical Controls User Identification and Passwords Firewall Virtual Private Network (VPN) Encryption Intrusion Detection System (IDS) Physical Controls Guards Identification Badges Key Cards Cipher Locks PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM MDI - Parklawn Badging System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jun 16, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1061-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-40-0013 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): MDI Badging System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Peterson 10. Provide an overview of the system: The MDI badging System provides card access and intrusion detection and technical alarm points for the HHS-PSC and approximately 9 remote locations. MDI PIA is being substantially revised. The amended Privacy Act SOR has been published in the Federal Register and is the 45 day comment period. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share or disclose. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Name, SSN, Photo - For use in granting appropriate building access to provide adequate building access Security. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is submitted by the individual on paper forms; they are told the information is required before granting building passes; individuals personally submit form and receive badge. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative Controls: - Approved System Security Plan - Contingency Plan - Backups - Offsite storage - User Manuals - Contractor agreements - Least privilege - IIF policy Technical Controls: - UserID and Passwords - Firewall - Process for monitoring and responding to security incidents Physical Controls: - Guards - ID Badges - Cipher Locks - Key Cards PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Medical Evaluation/Requirements Information Tracking System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1210-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0004 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Medical Evaluation/Requirements Information System (MERITS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathy Morring Capt. PHS 10. Provide an overview of the system: Collect, analyze and manage medical data and produce medical reports on the performance capability of Federal Law Enforcement applicants MERITS is used to Collect, analyze and manage medical data and produce medical reports on the performance capability of Federal Law Enforcement applicants. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Includes the following with any revisions or amendments: Executive Orders 12107, 12196, and 12564 and 5 U.S.C. chapters 11, 31, 33, 43, 61, 63, and 83. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Internal: Billing. PII is not shared (except as required by law) with anyone outside of HHS or the customer agency. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: MERITS was developed to collect, analyze and manage medical data and produce medical reports on the performance capability of Federal applicants. PII collected is the minimum required for positive identification of the customer agency employees. Due to the arduous and hazardous nature of weapon-carrying positions, Federal agencies have to assess the performance capability of their employees and applicants and develop strategies to maintain their health and fitness. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Records in this system are obtained from-- a. The individual to whom the records pertain. b. Agency employee health unit staff. c. Federal and private sector medical practitioners and treatment facilities. d. Supervisors/managers and other agency officials. e. Other agency records. Clients of MERITS will be informed in writing of the confidentiality provisions. Secondary disclosure of information, which was released, is prohibited without client consent. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information in the system is protected by management, operational, and technical security controls commensurate with the level of sensitivity of the system, including: - All medical records are stored in a separate "locked" file room. - Medical database files are protected by an internal PIX firewall. - ICMP is blocked on the internal pix firewall and the two MERITS SQL servers are configured not to reply to ping request. - Audit trails are in place to monitor unsuccessful login attempts to the MERITS application. - SQL servers are kept up to date with the latest security patches from Microsoft. - Only authorized internal domain users have access to the MERITS database application. - The PIX firewall logs are routinely reviewed for unauthorized access. - Social Security numbers have been removed (except for one client - USSS) from all reports generated out of the MERITS application. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 16, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Occupational Health Information Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: Significant System Management Changes 1. Date of this Submission: Sep 18, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1031-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0004 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): OHIMS 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: David Fisher 10. Provide an overview of the system: Ohims assists Reviewing Medical Officers (RMOs) in providing surveillance of employees for federal employers to track medical and exposure histories that may adversely impact their work performance, conduct, and health. In order to achieve these objectives, the Ohims case management and reporting system was developed. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reviewing medical officers and designated customer representatives who aggregate data. As necessary via law enforcement. Access to data is restricted to personnel of the DEC and FOH medical review officers assigned to the select agreement. Direct access by non-FOH personnel is not provided. Arrangements can be made through the FOH MRO for an agency to share data sets in Excel or Access format in support of studies conducted by agency representatives. Due to the provisions of FOH policy (M.39, Release of Confidential Medical Information), confidential medical information may be released only to the agency-designated Employee Medical Files System Manager, or upon written consent of th subject employee(s). Non-confidential informatino or non-identifiable data (average weight of the work force) may be released to the agency. The RMO works with the agency to assist them in identifying the information that is necessary to meet their program needs, and to assure that the information provided does not breach the requirements of confidentiality. Where policy questions exist, staff or contractors can cll the Associate Medical Director or Director of Clinical Services for policy clarification. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Reviewing medical officers and designated customer representatives who aggregate data. Ohims supports operations functionality for Ohims clients in approximately 5 RMO/ doctor locations throughout the United States. Ohims was completed and placed into production during February 1999. It is comprised of a Microsoft terminal server application that communicates with the centralized Ohims Oracle server at BTS and collects exam data, and a centralized Ohims Reports Oracle database that provides reports to FOH and Customer management. Ohims provides FOH doctors with a tool that meets their surveillance goals, with centralized management and reporting capabilities. “Surveilance management” refers to the process of gathering information on a person who has called into the FOH Clinic for an appointment and signed a Statement of Understanding (SOU). Initial client contacts are classified as a “Pre-Phase”. Information is collected from those individual’s exposure history into the Ohims. Pre-Phase information collected from clients and input into Ohims includes demographic information (i.e., employment type, date of birth, name, employee SSN, gender, etc.), contact information, and employment information. This data is input into Pre-Phase module (labeled Health Surveillance Module by Sentry). Refer to Figure 1 for the graphical process flow. Once complete the exam is sent to the agreement managers who direct it to the Reviewing Medical Officer (RMO) who evaluates the individual’s ability to perform their assigned tasks. The RMO reviews occupational exposure and changes in health to confirm the individual is being properly trained and protected for the work environment. RMO / doctors are able to create and print any of the Ohims reports to effectively manage the individual’s exposures or activity. These reports are stock FOH forms. Patient demographic information is collected to include DOB, SSN or unique ID, height, weight and other basic medical information. The demographic information is used to track the patient in the database. The medical information is used for Health Surveillance. Demographic information includes IIF (DOB, SSN, name, physical characteristics). Submission is voluntary, the agency is notified if the data submission is refused by the employee. The employee agency thenuses its own policy and procedures for doing the exam (regulatory, agency mandated, voluntary surveillance, etc.). 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Consent forms must be signed. All employees are required to read DFOH's privacy statement when they have their exam in the OHC and are asked to sign an authorization for disclosure which describes what information will be disclosed outside FOH. Form FOH-6 is the disclosure form and form FOH-32 is the privacy statement. All employees are asked to sign a release of information form before information any identifieable information is transferred or release from OHIMS. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Firewalls, active directory, locked room, confidentiality agreements, level 6 clearance of team members. Users can access Ohims utilizing a Citrix Client connection to the Ohims Terminal Server site through the Intranet. The Ohims ORACLE server maintains an active database of exams and RMO findings, including all demographic and medically confidential data. This is transported to the appropriate nurse or doctor via the Terminal Server though a Citrix Client connection. Additionally, full private firewall and anti-virus protection are provided on each desktop to prevent corruption or unauthorized capture of data. All users are required to have unique user names and passwords to gain access to the database and Ohims application. Strong passwords are required by all users, which consist of eight (8) characters with at least one Capital, one special character and one number. These measures guarantee secure data transmissions and communication between the user community and BTS. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM OS Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: May 5, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): OS LAN Backbone 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errol Brown 10. Provide an overview of the system: The OS LAN Backbone is the network supporting operations of the HHS/OS. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: May 11, 2009 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Parklawn computer room PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Parklawn computer room 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errol Brown 10. Provide an overview of the system: The Parklawn computer room is a data center facility located in HHS's Parklawn building. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Parklawn General Support System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): PSC Parklawn GSS 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errol Brown 10. Provide an overview of the system: The PSC Parklawn GSS is a series of networks that support the operations of the Parklawn building-based portion of PSC (including DCP). 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) This system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Payment Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 22, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-01-01-1021-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): Payment Management System (PMS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sheila Conley, Terry Hurst, Larry Bedker 10. Provide an overview of the system: Grant payment, cash management system. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The PMS provides data to the agencies that utilize its grant payment services, the Federal Reserve Bank system, and the Treasury. Agency databases, payment activity, disbursement activity, SF224 data, sync data, vendor data, and CAN data 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The PMS maintains automated interfaces to the agency financial systems that utilize its services. The HHS standard financial record is exchanged to identify new grants and modification to existing grants. The PMS provides output to the agencies with regard to disbursement data, synchronization data, SF224 data, and daily payment information to agencies that request it. All information exchanged between the PMS and the agencies is intended to synchronize the two systems with current financial information. In addition, DPM requires the grant recipients to provide hard copy of the 1199 direct deposit form for proper routing of banking information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The data input to the PMS is derived from the agencies, the recipients, and the staff at DPM. The data input to the system from the staff is entered online from workstations located at the DPM site. This information results in the establishment of accounts, subaccounts, and recipient information. The grant recipients are provided with a package of information when they receive a grant award. The packet requests that they provide DPM with identifying information to include taxpayer ID and 1199 direct deposit banking data. This exchange is via hard copy. All other data exchanged between the agencies, treasury, Federal Reserve Bank, and recipients is in an electronic format. DPM has guidebooks that describe the interfaces needed to communicate between systems. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All data collected to support the processes of the PMS is stored in tables. The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and DPM. Administrative Controls: - C&A 6/30/5 - Approved SSP - Contingency Plan - Backups - Offsite Storage - User Manuals - Contractor Agreements - Least Privilege - IIF Policy Technical Controls: - UserID and Passwords - Firewall - Virtual Private Network - Intrustion Detection - Process for monitoring and responding to security incidents - Encryption - CAC Cards - PKI Physical Controls: - Guards - ID Badges - CCTV - Keycards PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Perry Point Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-08-02-1040-00-405-143 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): P Point LAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Grubb 10. Provide an overview of the system: The Perry Point LAN provides local connectivity. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: No 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Personal Property Facility Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-08-02-1016-00-405-143 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): PPF Local Area Network 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Orfe 10. Provide an overview of the system: The PPF LAN provides local connectivity for the Personal Property Facility offices and warehouse. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: No 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM PropShop PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 13, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1020-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): PropShop Web Ordering System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Orfe 10. Provide an overview of the system: To enable items and services to be ordered online by DHHS/Federal agencies. PropShop is critical for providing customer's access 24/7 to requesting products or services from the LSB. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is shared with the PSC Business Office which uses PRICES for billing customers. Additionally, customers receive an order confirmation by e-mail. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information collected is name, mailing address, phone numbers, financial account information, and e-mail address for the purpose of mailing, shipping or delivering an order. In addition, the financial information is required to bill the customer for the product or service provided. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Customers fill in an order page on the website, some PII data is required to complete the order. All LSB customers must follow the same steps to complete an order. The HHS privacy policy is available electronically by the posting of a link at the bottom of the front page of the site. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Users connect through VPN Firewall Brick; which prevents unauthenticated traffic from entering a protected firewall perimeter. It also provides cryptographic protection against attacks by requiring strong end user authentication. Users are authenticated using strong User IDs and passwords. Administrative Controls: - C&A completed - Approved System Security Plan - Contingency Plan - Backups - Offsite storage - User Manuals - Contractor Agreements - Least Privilege - IIF Policy Technical Controls: - UserID and Passwords - Firewall - Intrusion Detection - Encryption - Process for monitoring and responding to security incidents Physical Controls: - ID Badges - Cipher Locks - CCTV PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Revenue, Invoicing, and Cost Estimation System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1014-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): PSC Revenue, Invoicing, and Cost Estimation System (PRICES) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mary Woolston 10. Provide an overview of the system: A financial system for the management of a fee for service business. It contains four (4) modules: costing & pricing, forecasting, billing and a web-based customer viewer. PRICES is a system used by the PSC to manage the agency's business operations and facilitate such functions as product costing & pricing, obligation planning, customer invoicing and on-line bill viewing, and cost center management reporting. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Cost and estimated demand information used in the development of rates is presented to the HHS Service and Supply Fund Board during our annual rate approval process. Service provision and billing information is provide to customer program management and fiscal staff to support collection of reimbursements. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The PRICES costing/pricing module allows cost center managers to input projected cost data, demand forecasts, etc. to enable calculation of fee-for-service rates. As our rates are developed using strict full-cost recovery models, this information is key in setting our product prices. The PRICES billing module allows collection of essential information from PSC functional areas about units of service provided, to whom, POCs, projects to be charged, etc. This information results in actual invoices processed in the core financial system and collection of funds from customers for services delivered. All data collected is essential in documenting that services were provided and serves as the basis for reimbursement to the PSC. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The costing and pricing exercise is performed annually and reviewed a mid-year. The PSC Business Office issues an e-mail datacall to Service Directors and cost center managers including guidance for entry of costs and demand into PRICES. Managers obtain this information from historical documents, accounting reports, and other information available to them on future trends, etc. They are informed that the rates developed through PRICES will become, upon approval of the Board, the PSC's published rates for the following fiscal year. o Billing information is collected as services are performed. In most cases, bills will be determined by output of other systems or activities (i.e. FTE counts from HR systems) but in the case of variable services received, providers will record the "who, what, when, and where" and use this information to generate bills. When customers are asked for this information, billers have been instructed to inform them that this information is necessary for billing purposes. Failure to provide the necessary information would likely result in the PSC's inability to offer services to the customer, as all service costs must be recouped through fee revenues. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls: - C&A completed 7/5/6 - approved System Security Plan - Contingency Plan - System backups - Offsite storage - User manuals - Contractor agreements - Least Privilege access - IIF policy Technical Controls: - UserID and Passwords - Firewall - Intrusion Detection - Process for monitoring and responding to security incidents Physical Controls: - Guards - ID Badges - Cipher Locks - CCTV PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM SAMHSA Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): SAMHSA General Support System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errol Brown 10. Provide an overview of the system: The SAMHSA GSS is a local area network supporting operations of the HHS/SAMHSA operating division. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Service Tracking Management PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1015-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-15-0004 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Service Tracking Module (STM) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dave Fisher 10. Provide an overview of the system: STM provides a complete set of tools to define the interagency agreements between FOH and its customer agencies, collect evidence of the fulfillment of those agreements, and provide external financial systems the information they need to bill for services rendered. STM also provides tools to view reports against data stored within it 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Medical notes and employee information in addition to personal identifying information 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Records in this system are obtained from-- a. The individual to whom the records pertain. b. Agency employee health unit staff. c. Federal and private sector medical practitioners and treatment facilities. d. Supervisors/managers and other agency officials. e. Other agency records. Clients will be informed in writing of the confidentiality provisions. Secondary disclosure of information, which was released, is prohibited without client consent. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information in the system is protected by management, operational, and technical controls comensurate with the level of sensitivity of that information, including: - Data is stored in a password protected data system - Data system is protected by network firewalls - Computer systems maintained at secured government site. - Electronic data is encrypted. - Users can enter SSN or Query on SSN to validate a person’s identity, but can not retrieve SSN for viewing. - Standard Reports do not display SSN. - Only specialized reports provided directly to authorized agency reps include this information. These reports can only be run by a select group of people and are provided physically via US Mail directed to the authorized person. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Silver Spring Center Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-02-00-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): PSC SSC LAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errol Brown 10. Provide an overview of the system: The PSC SSC LAN is a local area network supporting the operations of the Silver Spring Center based portion of the HHS/PSC (HRS). 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not collect, maintain or disseminate IIF. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect, maintain or disseminate IIF. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The system does not collect, maintain or disseminate IIF. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not collect, maintain or disseminate IIF. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASAM Web Warehouse Inventory Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Feb 13, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-06-02-1018-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): Web Warehouse Inventory Management System (WebWIMS) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Orfe 10. Provide an overview of the system: Provides inventory management, space control, order entry, receiving, and storage functionality for the AOS Personal Property Facility in Gaithersburg. WebWIMS provides material handling, inventory control, and employee assignment using radio frequency (narrow band wireless) and barcode technology with optional interfaces to conveyors, carousels, picking devices, etc. A wireless technology is required to accommodate the constant movement of product, mobility of users, and accommodate the demands for real time data in internal inventory control and space management. In addition, data is gathered to support workload and performance monitoring for PSC KPI program and MEO reporting to QASP. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): - 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Internal Branch Employees. PSC/Business Office - manual interface with PRICES for billing customers, Customer courtesy copy 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information will be collected for order entry purposes. All LSB employees require access to conduct their daily duties. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Paper/verbal data will be collected and entered by Branch employees. Electronic notifications will be used to convey the information to the employees. The employees will need to make a decision on cancelling any order. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Full suite of controls in accordance with SP 800-53. See the Security plan for details. Administrative:- Certification and Accreditation- System Security Plan- Contingency Plan- Backups and off-site storage- User Manuals- Training- Contractor privacy clauses- Least privledge- Policy and guidelines for IIF Technical:- UserID and passwords- Firewall- Encryption- Intrusion Detection System- Privacy/security incidents process Physical:- ID Badges- Cipher locks- CCTV PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASPA HHS Enterprise Portal PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-02-0003-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): HHS Enterprise Portal 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Prudence Goforth 10. Provide an overview of the system: To provide integrated collaboration and application access across the HHS enterprise. To provide employees with instant access to timely information on the vital health and human service programs that reside within HHS. To reach employees directly and quickly with information in a form they can readily use. The Web Portal will facilitate collaboration among the thirteen agencies and numerous Department-level offices that comprise HHS. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: work-related information for collaboration purposes no IIF information will be collected 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Automated Financial Statement System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Feb 23, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0004-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Automated Financial Statement System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Katherine Lee 10. Provide an overview of the system: Collects OPDIVs' financial statement data to generate the HHS-wide year-end and quarterly statements 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: OPDIV financial data is collected to produce a consolidated financial statement for HHS -- for year-end and quarterly submissions to OMB. The data used is not confidential, not sensitive, and not private. No IIF information is collected. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry Hurst Sign-off Date: Feb 23, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Financial Information Reporting System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 23, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: No 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Financial Information Reporting System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Edward A. Martin 10. Provide an overview of the system: Used in the development of outlay estimating, tracking spending, and tracking apportionments. It provides a repository for detailed historical obligations and outlay data for all uncancelled appropriation fiscal years. It also provides rates for accounts and budget activities for "waterfall tables" used in developing outlay estimates for the President's Budget and required to be submitted in support of the Department's outlay estimates. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: FIRS is used in developing outlay estimates for the President's Budget and required to support the HHS estimates. It also provides the official summary of Treasury outlay reports, apportionment logging and tracking to permit the HHS OPDIVs to find out the status of their apportionments as they move from HHS to OMB and back. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Grants.gov PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-01-99-01-0160-24 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): none 7. System Name (Align with system Item name): Grants.gov -- Find and Apply 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Nicolosi 10. Provide an overview of the system: Grants.gov is one of the PMA E-Gov initiatives and is deploying 2 Government-wide grants mechanisms: Find and Apply. The Find mechanism allows Federal agencies to post funding opportunities on Grants.gov and allows potential applicants to search these opportunities. All grant-making agencies were publishing funding opportunities by October 2003. The Apply mechanism allows agencies to post their application packages on Grants.gov and allows applicants to download the packages and complete them offline, and submit them electronically. The Apply mechanism was launched on October 31, 2003. Grants.gov operates a Contact Center at a state-of-the art secure hosting facility to support agency and applicant users. Grants.gov also operates a forms factory to develop (electronic) forms for the grant-making agencies. Grants.govs day-to-day activities are operated out of the Grants.gov Program Management Office. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Allows Federal agencies to post funding opportunities, and allows potential applicants to search these opportunities. Does not contain IIF information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT HHS Enterprise Architecture Repository PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-03-00-02-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Metis Team Server 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Teeter 10. Provide an overview of the system: Used to track and analyze the layers of the HHS Enterprise Architecture (EA) and the relationships between those layers. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Infrastructure and process information for Capital Panning and Investment purposes. No IIF information is collected. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT HHS Identity Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: Conversions 1. Date of this Submission: Feb 13, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-02-00-02-0030-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): fr25ap08-65 5. OMB Information Collection Approval Number: 3206-0005, SF-85, SF-86 6. Other Identifying Number(s): GS-35F-0306J (FISMA ID), I-9 form 1615-0047, Declaration for Federal Employment 3206-0182 (?) 7. System Name (Align with system Item name): OS ASRT HHS Identity Management System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Calabrese 10. Provide an overview of the system: This system will produce the new ID badge for all HHS employees and contractors across all HHS Operating Divisions The IIF collected will be used to uniquely identify personnel on PIV II cards. This information includes biometrics (fingerprints) and digital certificates. This system was authorized by the HHS CIO and meets presidential directive HSPD-12 guidance. Enhancement (EAM) provides a single-sign-on mechanism using the PIV cards for authentication. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HHS will use the information on the card and may use some of the stored information when person accesses federal facilities, computers, applications, or data to prove person's identity and right of access. Information is shared with OPM for clearance of employees. Information is also shared with the certification authority which provides digital certificates. Limited information may also be exchanged with the Federal Bridge CA. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The agency will collect the following IIF information: full name, facial photograph, two fingerprints, date of birth, home address, home phone number, background investigation form, the results of a background check, the approval signature of the person who registered the user in the system, card expiration date, the card serial number, and copies of the documents used to verify identity, such as driver's license or passport. Not all information collected is entered into this system. See answers in section 17 for detailed IIF contained within the system. The investigation is a federal government job requirement. Those who refuse to provide personal information will not meet the requirements of the job and will therefore not be considered further. Current employees who do not meet these requirements will be terminated. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) PIV card applicants are required to complete applicant training about the PIV process and must print out a training completion form. In addition, upon receipt of the badge, applicants are required to sign a statement that s/he knows his/her rights and responsibilities. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database and individual OPDIV feeder servers are located within secured buildings. Different degrees of security have been implemented at all location, with some including Biometrics and Closed Circuit TV. Technical controls which minimize the possibility of unauthorized access, use, or dissemination of the data in the system are also in place. These include: user identification, firewalls, VPN, encryption, Intrusion Detection System and PIV Cards. Guards, ID Badges and Key cards further ensure IIF will be secure. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Sep 20, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT HHS IT Portfolio Management Tool (ProSight) PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-03-00-02-0050-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): HHS IT Portfolio Management Tool (Prosight) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jeff Lovern 10. Provide an overview of the system: To support the Department's Capital Planning and Investment Control (CPIC) process and the information technology (IT) budget formulation process, including the support of data collection and generation for OMB Exhibit 53 and 300 reporting. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Summary and detailed information on individual IT investments and across OPDIV IT investments. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Information Collection Request, Review & Approval System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Apr 27, 2006 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0142-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Information Collection Request, Review and Approval System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alice Bettencourt 10. Provide an overview of the system: To assist HHS to electronically administer and manage its information collection clearance responsibilities under the Paperwork Reduction Act (PRA). Information Collection Review & Approval System (ICRAS) is a web-based databasde application that helps Federal agencies electronically administer and manage its information collection clearance responsibilities under the Paperwork Reduction Act (PRA). 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): OMB 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: ICRAS provides users with the functionality to create and upload OMB PRA forms 83-I, 83-C, 83-E, 83-D, Supporting Statemens, draft and final Federal Register postings, laws, statutes, regulations, memos and cover letters, and OMB's Notices of Action in reply to the submittal of the OMB 83 formxs and attachments. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Security and Privacy Online Reporting Tool PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: Not Applicable 1. Date of this Submission: May 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: - 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A - System is not subject to the Privacy Act and thus does not require a SORN. 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): OS ASRT Security and Privacy Online Reporting Tool 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lavon Hopkins 10. Provide an overview of the system: SPORT collects and maintains all security and privacy data points and metrics on HHS’ FISMA information systems. The Primavera ProSight Fast Track for FISMA and Privacy Compliance application, a commercial off-the-shelf (COTS) product, is the primary component of the SPORT system. This COTS product enables the SPORT system to deliver IT services that allow agencies to capture, assess, manage, and report on the overall posture of information security programs and systems. As the HHS Enterprise FISMA tool, SPORT serves as the Department’s authoritative IT FISMA system inventory. HHS uses information stored in SPORT for quarterly and annual FISMA reporting to the OMB, POA&M oversight, PIA, and SSA completion and storage, and Federal Information Processing Standard (FIPS) 199 system security categorization. Furthermore, SPORT enables the HHS CISO to conduct internal oversight reviews and to respond to the Office of Inspector General (OIG) and various other data calls. SPORT’s scorecards provide executive-level snapshot reports to assist senior management in information security decision making. Additionally, SPORT enables users to export data from the tool and attach this information to the document repository for historical purposes. The document repository, a module within the SPORT application, also allows users to upload other system security-related artifacts. SPORT supports a combined user base of approximately 300 active users. SPORT users include Operating Division (OPDIV) Administrators, CISOs and ISSOs; System Owners; System Reviewers; PIA Reviewers, Senior Officials for Privacy (SOP); and PIA Editors. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A - The system does not share PII. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information collected in this system does not constitute PII. According to HHS PIA Policy, “systems that collect PII ‘permitting the physical or online contacting of a specific individual…employed [by] the Federal Government’ [See E-Government Act of 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?db name=107_cong_public_laws&docid=f:publ347.107.pdf] are an exception. Under these circumstances, only the PIA Summary is required for that system.” SPORT collects and maintains all HHS systems' IT security data necessary for quarterly and annual FISMA reporting, POA&M management, system PIA and self assessment completion and storage, FIPS 199 system security categorization, FISMA system inventory maintenance. POA&M management includes the tracking of system and program related security weaknesses. Security categorization includes the identification of information types maintained by a particular system and the potential impact (High, Moderate, Low) resulting from compromises to confidentiality, integrity, and availability. System Inventory maintenance includes the state of the system (stage, lifecycle, classification), contact information (ISSO, DAA/AO, system owner, program manager), and the status of security and privacy information (C&A, SSP, risk assessment, system security control review and testing, contingency planning and testing, configuration management, and PIA). 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The information collected in this system does not constitute PII. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: - 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): - 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative – SPORT has a system contingency plan which, when activated, calls upon the SPORT System Owner, SPORT system administrators, and HHS security staff and contractors, to reconstitute system operations . SPORT files are backed-up regularly and stored offsite. Least privileged access is granted, and user manuals are available to identify user roles and responsibilities. Technical – Access controls are articulated through existing Department policies and procedures represented in the Secure One HHS Information Security Program Policy and the corresponding guidance document, HHS Information Security Program Handbook. Session termination is configured for a 30 minute timeout after which a session will be terminated. Remote access may be granted but only in instances in which the user is first connected to the HHS network via Virtual Private Network (VPN) encrypted tunnel. No wireless access to the application is allowed, nor are direct connections between the application and portable and mobile devices permitted. Physical - SPORT is considered an application. As such, it is dependent on the overall general support system and the environment in which that system resides for the proper implementation of physical and environmental security controls. OS/ITO is primarily responsible for ensuring these controls are properly implemented and regularly evaluated. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: May 31, 2009 Approved for Web Publishing: - Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Tracking Accountability in Government Grants System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0003-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): none 7. System Name (Align with system Item name): Tracking Accountability of Government Grants System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Etcheverry 10. Provide an overview of the system: The TAGGS database is a central repository for grants awarded by the twelve HHS Operating Divisions (OPDIVs). TAGGS tracks obligated grant funds at the transaction level. The TAGGS database is a central repository for grants awarded by the twelve HHS Operating Divisions (OPDIVs). TAGGS tracks obligated grant funds at the transaction level. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Tracks HHS-obligated grant funds. Does not contain IIF information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Unified Financial Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 13, 2008 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-01-01-01-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0024 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): none 7. System Name (Align with system Item name): Unified Financial Management System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sheila Conley 10. Provide an overview of the system: The Unified Financial Management System (UFMS) is a business management tool designated to provide timely and reliable information to improve financial, business and operational functions within HHS. UFMS is designated to satisfy 3 categories of financial management systems requirements mandated by the Federal Financial Management Improvement Act (FFMIA). These are: 1) Federal financial management systems requirements promulgated by OMB and the Joint Financial Management Improvement Program (JFMIP); 2) federal accounting standards; and 3) the United States Standard General Ledger at the transaction level. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information will be shared between the Office of the Secretary (OS), Centers for Disease Control (CDC), Food and Drug Administration (FDA), National Institutes of Health (NIH), Administration on Aging (AoA), Administration for Children and Families (ACF), Agency for Healthcare Research and Quality (AHRQ), Health Resources and Services Administration (HRSA), Indian Health Service (IHS), Substance Abuse and Mental Health Services Administration (SAMHSA), Centers for Medicare and Medicaid Services (CMS), the U.S. Department of the Treasury, and the U.S. Department of Defense. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The system will collect transactional and accounting data to meet functional requirements for Core financial management functions: General Ledger, Budget Execution, Payment and Receipt Management, Cost Management, Commitments and Obligations, and Reporting. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) The information will be keyed into the database. The information may come directly from the private individual source or from other offices within the UFMS boundaries. All notification for the use and protection of private information will be convedyed in writing during training and by electronic notice. Although the need to share this information outside the UFMS system boundaries is not required, it could be in the future. Processes are still being developed to determine how consent will be given with regard to what information is collected and how it will be shared. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): Yes 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system will be secured by methods prescribed in the System Security Plan (SSP). The SSP calls for system life-cycle practices for Federal financial systems. The methods employed include risk assessments and implementation of management, operational, and technical controls. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 13, 2008 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS ASRT Watchfire Web XM PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-00-03-00-02-0025-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Watchfire 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jaren Doherty 10. Provide an overview of the system: Automates the analysis of online properties to identify issues that jeopardize HHS's identity and reputation, mitigates online risk by identifying and alerting executives about privacy and data security issues, and provides an inventory and technology map of their entire online presence. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Analyzes HHS online information to improve information integrity, security, and inventory. Contains no IIF information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS DAB Automated Case Tracking System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0005-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): none 7. System Name (Align with system Item name): DAB Automated Case Tracking System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Neil Kaufman 10. Provide an overview of the system: Tracks status of DAB cases via automation. Separate modules for each DAB division. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Information enables DAB staff to track status of their various cases. Does not contain IIF information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS IOS Strategic Work Information and Folder Transfer PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Jul 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-7255-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Stragetic Work Information and Folder Transfer 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Vanessa McClam 10. Provide an overview of the system: SWIFT is the records and document management system for the Office of the Secretary, Executive Office. Swift provides scanning, classifying indexing storage, retrieval, workflow, dissemination, and tracking capabilities for all of the documents received or generated by the executive office. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Documents received and/or generated by the executive office. No IIF information is collected or maintained. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS OCR Program Information Management System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0001-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0052 5. OMB Information Collection Approval Number: 0990-0269 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Program Information Management System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Fernando Correa 10. Provide an overview of the system: Case tracking, document management and executive information. The Program Information Management System (PIMS) was developed to allow OCR to manage more effectively its program information needs and to integrate all of OCR's various business processes, including all its compliance activities, to allow for real time access and results reporting and other varied information management needs. Among other things, PIMS was developed to support the collection of compliance related and other identifying information needed for OCR to complete compliance activities and determinations. Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, the Age Discrimination Act of 1975 and other statutes that prohibit discrimination by programs or entities that receive Federal financial assistance from HHS; Federally- conducted programs in cases involving disability-based discrimination under Section 504 of the Rehabilitation Act; state and local public entities in cases involving disability-based discrimination under Title II of the Americans with Disabilities Act; certain health plans, health clearinghouses and health care providers with respect to enforcement of the standards for privacy of individually identifiable health information under the privacy rule issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA). 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): DoJ, EEOC, Federal Mediation & Conciliation Service, other Federal agencies, Congressional offices (but only in response to forwarded constitutent inquiries) -- as part of routine uses as specified in Syxstem of Records notice. permitting disclosure to a congressional office, allows subject individuals to obtain assistance from their representatives in Congress, should they so desire. Such disclosure would be made only pursuant to the request of the individual. allows disclosure to the Department of Justice or a court in the event of litigation. allows referral to the appropriate agency, in the event that a System of Records maintained by this agency to carry out its functions indicates a violation or potential violation of law. allows disclosure of records to contractors for the purpose of processing or refining records in the system Complaints involving alleged age discrimination are referred to the Federal Mediation and Conciliation Service consistent with the regulations implementing the Age Discrimination Act of 1975. Certain employment cases may be referred to the Equal Employment Opportunity Commission. In each of these instances, the allegations themselves are forwarded, but the data on the cases resident in OCR's PIMS system is not forwarded. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The mandatory fields for the new forms are: name, contact information, whether the complaint is being filed on behalf of someone else, the basis for the complaint (e.g., race/color/national origin, age, religion, gender (male/female), disability, violation of the privacy of protected health information), the entity against which the complaint is being filed, when the incident(s) occurred, a brief description of what happened and the complainant's signature. In some situations, the law requires OCR to get the complainant's signature, in other cases it is voluntary. In addition, several voluntary fields are included to assist OCR in processing the complaint and to provide appropriate customer service. Those fields are: an alternate person to contact if the complainant cannot be reached; whether this complaint has been filed with other agencies or is the basis of a lawsuit and, if so, to identify where else the complaint has been filed; and whether the complainant needs special accommodations for OCR to communicate with them (e.g. Braille, TDD). We also have included a limited number of questions to be answered on a voluntary basis to help us better assess whether we are adequately reaching and providing service to populations whose rights are covered by our statutory authorities. These questions concerning the complainant or the person on whose behalf a complaint has been filed, are: ethnicity, race, primary language spoken (if other than English), and the means by which the complainant learned about being able to file complaints with the Office for Civil Rights. Failure to answer the voluntary questions will not affect OCR's decision to process a complaint. Use of these forms is voluntary. Alternatively, a complainant may choose to submit a complaint in the form of a letter, or electronically. In its Medicare certification process, each applicant for certification responds to OCR's data request. The questions pertain to the policies and procedures of nondiscrimination; communication with persons who are Limited English proficient or sensory impaired; required notices; provision of auxiliary aids to persons with sensory, manual or speech impairments; grievance procedures for disability discrimination allegations; and information regarding restrictions based on age. The information received in response to a data request does not normally include personally identifiable information. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) For individual complaints, the initial information is collected from the complainant, or someone acting on their behalf. It is collected using one of OCR's two approved complaint forms for discrimination complaints and health information privacy complaints, which are available for downloading from OCR's web site. Alternatively, a complainant may choose to submit a complaint in the form of a letter, or electronically. OCR's two complaint forms each contain a privacy notice describing how the complainants information will be used. The discrimination notice is similar to the following health information privacy notice: "Filing a complaint with OCR is voluntary. However, without the information requested above, OCR may be unable to proceed with your complaint. We collect this information under authority of the Privacy Rule issued pursuant to the Health Insurance Portability and Accountability Act of 1996. We will use the information you provide to determine if we have jurisdiction and, if so, how we will process your complaint. Information submitted on this form is treated confidentially and is protected under the provisions of the Privacy Act of 1974. Names or other identifying information about individuals are disclosed when it is necessary for investigation of possible health information privacy violations, for internal systems operations, or for routine uses, which include disclosure of information outside the Department for purposes associated with health information privacy compliance and as permitted by law. It is illegal for a covered entity to intimidate, threaten, coerce, discriminate or retaliate against you for filing this complaint or for taking any other action to enforce your rights under the Privacy Rule. You are not required to use this form. You also may write a letter or submit a complaint electronically with the same information. To submit an electronic complaint, go to our web site at: http://www.hhs.gov/ocr/privacyhowtofile.htm. To mail a complaint see reverse page for OCR Regional addresses." In addition, for all complaints received that OCR initially determines are within our jurisdiction, complainants receive an acknowledgment letter that includes a fact sheet titled Protecting Personal Information in Complaint Investigations. This fact sheet describes how the information is protected by OCR, how a person can request a copy of their file under the Freedom of Information Act, to what other government agencies OCR may legally give the complainants information (see Section 4 above), and what protections are in place if someone else requests the complainants file. Where investigation of a complaint requires providing the complainants name to the covered entity against whom the complaint is filed, the complainant is always asked to sign a consent form allowing release of their name to the covered entity. Similarly, if investigation of the complaint requires acquiring the complainants medical record from the covered entity, the complainant is asked to sign an authorization allowing OCR to request the information. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized OCR users whose official duties require the use of such information have access to the information in the system. No users outside of OCR have access to PIMS. Specific access is structured around need and is determined by the person's role in the organization. Access is managed through the use of electronic access control lists, which regulate the ability to read, change and delete information in the system. Each OCR user has read access to designated information in the system, with the ability to modify only their own submissions or those of others within their region or group. Data identified as confidential is so designated and only specified individuals are granted access. The system maintains an audit trail of all actions against the data base. All electronic data is stored on servers maintained in locked facilities with computerized access control allowing access to only those support personnel with a demonstrated need for access. A database is kept of all individuals granted security card access to the room, and all visitors are escorted while in the room. The server facility has appropriate environmental security controls, including measures to mitigate damage to automated information system resources caused by fire, electricity, water and inadequate climate controls. Access control to servers, individual computers and databases includes a required user log-on with a password, inactivity lockout to systems based on a specified period of time, legal notices and security warnings at log-on, and remote access security that allows user access for remote users (e.g., while on government travel) under the same terms and conditions as for users within the office. System administrators have appropriate security clearance. Printed materials are filed in secure cabinets in secure Federal facilities with access based on need as described above for the automated component of the PIMS system. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS OGC Matter Tracking System PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? No If this is an existing PIA, please provide a reason for revision: PIA Validation 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-90-01-06-02-0138-00 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): N/A 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Matter Tracking System 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Shimabukuro 10. Provide an overview of the system: A centralized system that enables a sophisticated analysis of not only current but also projected workloads across the enterprise. It provides a robust data capture, workflow, timekeeping, and reporting solution set that enables better strategic planning and performance-based budgeting. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): OGC attorneys, paralegals and legal staff 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: Every piece of information -- notes, case development information, legal research, correspondence, pleadings, evidence, court calendars, task lists, statutes of limitations and other critical deadlines, time and expense entries, budgets, and e-mails -- is automatically placed in the right electronic matter file under the matter and client numbers used by an organizations accounting system. No IIF information is collected or maintained in MTS. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) N/A 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): Yes 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Suzi Connor Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS OPHS Commissioned Corps Payroll PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Jul 31, 2009 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: - 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): 09-90-0018 5. OMB Information Collection Approval Number: N/A 6. Other Identifying Number(s): N/A 7. System Name (Align with system Item name): Commissioned Corps Personnel and Payroll System (CCP) 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry Weisskohl 10. Provide an overview of the system: CCP is a web-based system that provides payroll and personnel services for the 13,000+ Commissioned Corps Active Duty, Retirees and Annuitant population. 13. Indicate if the system is new or an existing one being modified: New 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): Yes 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): Yes 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is shared only as part of the payroll processing. 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: The information in the system is the range of personal information necessary for providing full pay and personnel services. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) Information is submitted by the individual as part of their in-processing. Updates to the information is supplied by the individuals as necessary. 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: - 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): - 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information in the system is protected by management, operational, and technical security controls commensurate with the level of sensitivity of the system. The system is certified and accredited. PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth. M. Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: May 28, 2009 Approved for Web Publishing: - Date Published: September 1, 2009 _____________________________________________________________________________ 06.3 HHS PIA Summary for Posting (Form) / OS OPHS Division of Commissioned Personnel Local Area Network PIA SUMMARY AND APPROVAL COMBINED PIA Summary Is this a new PIA? Yes If this is an existing PIA, please provide a reason for revision: - 1. Date of this Submission: Aug 16, 2007 2. OPDIV Name: OS 3. Unique Project Identifier (UPI) Number: 009-91-01-08-01-1100-00-403-250 4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): No 5. OMB Information Collection Approval Number: No 6. Other Identifying Number(s): No 7. System Name (Align with system Item name): DCP LAN 9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol Arbogast 10. Provide an overview of the system: The DCP LAN provides local connectivity for the DCP office. 13. Indicate if the system is new or an existing one being modified: Existing 17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?): No 21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): No 23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No 30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: No 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) No 32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII): No 37. Does the website have any information or pages directed at children under the age of thirteen?: No 50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): No 54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PIA Approval PIA Reviewer Approval: Promote PIA Reviewer Name: Ruth Doerflein Sr. Official for Privacy Approval: Promote Sr. Official for Privacy Name: Terry L. Hurst Sign-off Date: Aug 17, 2007 Approved for Web Publishing: Yes Date Published: September 1, 2009 _____________________________________________________________________________ |
HHS Home | Questions? | Contacting HHS | Accessibility | Privacy Policy | FOIA | Disclaimers | The White House | USA.gov | Helping America's Youth
U.S. Department of Health & Human Services - 200 Independence Avenue, S.W. - Washington, D.C. 20201
