﻿"prompt","response"
"Date Signed:","08/11/2025"
"OPDIV:","NIH"
"Name:","NIH Clinical e-Protocol Writing Tool"
"PIA Unique Identifier:","P-5507678-606962"
"The subject of this PIA is which of the following?","Minor Application (child)"
"Identify the Enterprise Performance Lifecycle Phase of the system.","Operations and Maintenance"
"Is this a FISMA-Reportable system?","No"
"Does the system include a Website or online application available to and for the use of the general public?","Yes"
"Identify the operator.","Contractor"
"Is this a new or existing system?","New"
"Does the system have Security Authorization (SA)?","Yes"
"Describe the purpose of the system.","The NIH Clinical e-Protocol Writing Tool facilitates the development of phase 2 and 3 clinical trial protocols that require a Food and Drug Administration (FDA) Investigational New Drug (IND) or Investigational Device Exemption (IDE) Application. This electronic protocol writing tool has been developed through the National Institutes of Health (NIH) Office of Science Policy, using the Phase 2 and 3 IND/IDE Clinical Trial Protocols."
"Describe the type of information the system will collect, maintain (store), or share.","""The system collects the following information about NIH clinical trial protocols:Protocol NameProtocol SummaryIntroduction (Study Rationale, Background, Risk/Benefit Assessment)Objectives and EndpointsStudy DesignStudy PopulationStudy InterventionStudy Intervention Discontinuation and ParticipantStudy Assessment and ProceduresStatistical ConsiderationsSupporting Documentation and Operational ConsiderationsReferencesThe system collects the following personally identifiable information (PII): names, email addresses, organization, and passwords are of users so they can access and manage their individual accounts."""
"Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.","The NIH Clinical e-Protocol Writing Tool facilitates the development of phase 2 and 3 clinical trial protocols that require a Food and Drug Administration (FDA) Investigational New Drug (IND) or Investigational Device Exemption (IDE) Application. This electronic protocol writing tool has been developed through the National Institutes of Health (NIH) Office of Science Policy, using the Phase 2 and 3 IND/IDE Clinical Trial Protocols.""The system collects the following information about NIH clinical trial protocols:Protocol NameProtocol SummaryIntroduction (Study Rationale, Background, Risk/Benefit Assessment)Objectives and EndpointsStudy DesignStudy PopulationStudy InterventionStudy Intervention Discontinuation and ParticipantStudy Assessment and ProceduresStatistical ConsiderationsSupporting Documentation and Operational ConsiderationsReferencesThe system collects the following personally identifiable information (PII): names, email addresses, organization, and passwords are of users so they can access and manage their individual accounts."""
"Does the system collect, maintain, use or share PII?","Yes"
"Indicate the type of PII that the system will collect or maintain.","Name; E-Mail Address; password; organization"
"Indicate the categories of individuals about whom PII is collected, maintained or shared.","Employees; Public Citizens"
"How many individuals' PII is in the system?","5,000-9,999"
"For what primary purpose is the PII used?","The primary purpose of the collection of PII is to create an account for users and to provide a login for accessing their accounts."
"Describe the secondary uses for which the PII will be used.","NA"
"Identify legal authorities governing information use and disclosure specific to the system and program.","42 U.S. Code § 28142 U.S. Code § 24142 U.S. Code § 282"
"Are records on the system retrieved by one or more PII data elements?","No"
"Identify the sources of PII in the system.","Directly from an individual about whom the information pertains - Email; Directly from an individual about whom the information pertains - Online; Government Sources - Within OpDiv; Non-Governmental Sources - Public"
"Identify the OMB information collection approval number and expiration date","NA. The collection of PII to create an account solely for access is exempt from the requirements of the Paperwork Reduction Act."
"Is the PII shared with other organizations?","No"
"Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.","The website has the following language on the sign in page. ""You are entering an Official United States Government System that may be accessed and used only for official business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action. All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Authorized users shall be defined as those individuals given express permission to access the system by the National Institutes of Health. This should be done by way of registering with the system through the Office of Science Policy, NIH. Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms."""
"Is the submission of PII by individuals voluntary or mandatory?","Voluntary"
"Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.","There is no opt-out option. Without providing email address, users won't be able to use the system"
"Process to notify and obtain consent from individuals whose PII is in the system when major changes occur to the system.","Notifications will be put on the website landing page prior any changes."
"Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate.","Individuals that have concerns about their PII can reach out to the Clinical e-Protocol Support Team through the """"Contact Us"""" link at the top of the page."
"Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy.","The Clinical e-Protocol Support Team reviews quarterly the data for integrity, availability and accuracy."
"Identify who will have access to the PII in the system and the reason why they require access.","Administrators: Require access to PII to manage user accounts, perform system maintenance, monitor system security, and troubleshoot issues.; Developers: Require access to PII for debugging, implementing, and testing system features."
"Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.","System roles are defined based on job responsibilities and the principle of least privilege. Only roles that require access to PII to perform their duties are eligible. Users (administrators, developers) must submit a formal access request specifying the level of access required and the business justification for accessing PII."
"Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.","All the passwords are encrypted and stored in a database. If any work needs to be done on the system, system owners need to provide official approval."
"Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.","According to NIH policy, all personnel who manage or operate NIH applications must successfully complete annual security and privacy awareness training. Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials. Individuals with elevated privileges, such as Administrators, are additionally required to take Role-Based Training Courses. "
"Describe training system users receive (above and beyond general security and privacy awareness training).","In addition to NIH training, system owners, administrators, and developers meet monthly to discuss about the security and privacy related topics of the system."
"Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?","Yes"
"Describe the process and guidelines in place with regard to the retention and destruction of PII.","04-101, Employee Invention Reports and Patent Applications. Cut off following expiration, lapsing, withdrawal, or abandonment of all issued patents, and patent applications within an associated patent family; or unpatented inventions when not associated with licensable or available licensed research material. Destroy 6 years after cutoff or when no longer needed for business purposes occurs, whichever is later (DAA-0443-2016-0002-0001).07-203, System access records. Systems not requiring special accountability for access. Destroy when business use ceases (DAA-GRS-2013-0006-0003)."
"Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.","Administrative Controls:Access requests are managed, validated, and audited by the ePT Support Team and scheduled audits are performed to ensure accounts are validated and/or revoked if needed. Access Disclosure Agreements are required for all users. Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.                                                                                                                                Physical Controls: The servers reside in the Office of Information Technology (OIT) Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room."
"Identify the publicly-available URL:","https://e-protocol.od.nih.gov"
"Does the website have a posted privacy notice?","Yes"
"Is the privacy policy available in a machine-readable format?","Yes"
"Does the website use web measurement and customization technology?","No"
"Does the website have any information or pages directed at children uner the age of thirteen?","No"
"Does the website contain links to non- federal government websites external to HHS?","No"
