• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Third Party Websites and Applications Privacy Impact Assessment - Google Analytics for Quality Payment Program

Date Signed:
10/17/2016

OPDIV:
CMS

Name:
Google Analytics for Quality Payment Program

TPWA Unique Identifier:

Is this a new TPWA?
Yes

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No

Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No

Does the third-party Website or application contain Federal Records?
No

Describe the specific purpose for the OPDIV use of the third-party Website or application:
CMS uses reports and analysis from Google Analytics to measure the number of visitors to qpp.cms.gov and its various sections. The analyses and reports help to make qpp.cms.gov more useful to visitors/consumers.

The CMS staff who analyze the reports from Google Analytics, include CMS employees responsible for implementing the Quality Payment Programs (QPPs), members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties and support the QPPs.

Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes

Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want Google Analytics to collect information related to their visits to qpp.cms.gov, consumers can use the Tealium IQ Privacy Manager on qpp.cms.gov’s privacy page and "opt out" of having data collected about them by Google Analytics. Alternatively, a consumer can disable their cookies if they do not want their information to be collected or can use the Google Analytics opt out tool referenced in the qpp.cms.gov privacy policy.

Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
No

How does the public navigate to the third party Website or application from the OPIDIV?
N/A. Google Analytics is a web measurement tool used to monitor visitor traffic on a website; it is not a website accessible to the public.

Please describe how the public navigate to the third-party website or application:
N/A. Google Analytics is a web measurement tool used to monitor visitor traffic on a website; it is not a website accessible to the public.

If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a non-governmental Website?
No

Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes

Provide a hyperlink to the OPDIV Privacy Policy:
https://qpp.cms.gov/privacy/

Is an OPDIV Privacy Notice posted on the third-part website or application?
No

Is PII collected by the OPDIV from the third-party Website or application?
No

Will the third-party Website or application make PII available to the OPDIV?
No

Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third- party Website or application and the intended or expected use of the PII:
CMS does not collect any PII through the use of Google Analytics.

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
N/A

If PII is shared, how are the risks of sharing PII mitigated?
N/A

Will the PII from the third-party website or application be maintained by the OPDIV?
No

Describe how PII that is used or maintained will be secured:
N/A

What other privacy risks exist and how will they be mitigated?
CMS will use Google Analytics in a manner that protects the privacy of consumers who visit qpp.cms.gov and respects the intent of qpp.cms.gov users. CMS will conduct periodic reviews of Google Analytic's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy.

Google Analytics is employed solely for the purposes of improving CMS’ services and activities online related to operating qpp.cms.gov. Information collected by Google Analytics is created and maintained by Google.

Risk #1:
Persistent cookies are used with Google Analytic’s tools on qpp.cms.gov that are stored on a user’s local browser. Google Analytics cookies are stored for two years.

Mitigation:
Google Analytics’ privacy policies, notices from qpp.cms.gov, information published by Google Analytics about its privacy policies, and the ability for consumers to opt out of providing their information to Google Analytics through the Tealium iQ Privacy Manager on the qpp.cms.gov website maximizes consumers’ ability to protect their information and mitigate risks to their privacy. Periodic reviews of Google and Google Analytics privacy policies are conducted by CMS to ensure these best practices are being followed.

Risk #2:
Google Analytics collects hundreds of data elements, including standard data elements and custom data elements. These data elements are all listed and can be found here: https://developers.google.com/analytics/devguides/reporting/core/dimsmets

For individual users, geographic data is collected, based on the IP address (device location is an approximation), the user’s device, device type, screen resolutions, flash version, browser, browser version, operating system and operating system version are all collected. In addition to the standard data elements collected, custom data is collected via ‘events’ and ‘custom dimensions’ and ‘custom metrics’. For example, Google Analytics collects information about how many people download a PDF file by clicking a link.

Mitigation:
Google Analytics does not share actual IP address information with CMS as an additional step to safeguard qpp.cms.gov users’ privacy. Gender and Interest Group tracking features provided by Google Analytics have been disabled in the CMS implementation. Google Analytics Terms of Service includes a "zero tolerance" policy from assisting or accepting any type of PII or information that could be recognized as PII from a third party.

Content created by Assistant Secretary for Public Affairs (ASPA)
Content last reviewed on October 20, 2016