﻿"prompt","response"
"Date Signed:","03/11/2025"
"OPDIV:","NIH"
"Name:","ORWH Application Portal"
"PIA Unique Identifier:","P-3475995-320405"
"The subject of this PIA is which of the following?","Electronic Information Collection "
"Identify the Enterprise Performance Lifecycle Phase of the system.","Operations and Maintenance"
"Is this a FISMA-Reportable system?","No"
"Does the system include a Website or online application available to and for the use of the general public?","Yes"
"Identify the operator.","Agency"
"Is this a new or existing system?","Existing"
"Does the system have Security Authorization (SA)?","Yes"
"Indicate the following reason(s) for updating this PIA.","PIA Validation"
"Describe in further detail any changes to the system that have occurred since the last PIA.","The PIA has been updated to meet the requirements of Executive Order - Defending Women From Gender Ideology Extremism And Restoring Biological Truth To The Federal Government."
"Describe the purpose of the system.","The Office of Research on Women's Health (ORWH) Application Portal is a set of Online courses and database for public and employee training on sex and sex- related differences. It is used to characterize individual's baseline understandings of the subject matter; to assess user engagement and learning; to identify demographic trends across course users in order to inform future course dissemination strategies; to assess course effectiveness; to identify barriers and facilitators to the implementation of the NIH sex as a biological variable policy; and to identify areas of focus for future course development and expansion. "
"Describe the type of information the system will collect, maintain (store), or share.","The types of information that is collected and maintained through assessments, surveys and knowledge checks includes the following personally identifiable information (PII): names, emails, phone numbers, mailing addresses, employment statuses, sex, demographic information, and login credentials (user name and password for members of the public).  The ORWH Application Portal uses specific login information to assign permissions/user roles for government employees and direct contractors which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), which combines the identity and authentication tools and capabilities used throughout the NIH enterprise. The IMS has its own approved PIA on record, including all legal authorities documented."
"Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.","The Office of Research on Women's Health (ORWH) Application Portal is a set of Online courses and database for public and employee training on sex differences. It is used to characterize individual's baseline understandings of the subject matter; to assess user engagement and learning; to identify demographic trends across course users in order to inform future course dissemination strategies; to assess course effectiveness; to identify barriers and facilitators to the implementation of the NIH sex as a biological variable policy; and to identify areas of focus for future course development and expansion. The types of information that is collected and maintained through assessments, surveys and knowledge checks includes the following personally identifiable information (PII): names, emails, phone numbers, mailing addresses, employment statuses, sex, demographics, and login credentials (user name and password for members of the public).  The ORWH Application Portal uses specific login information to assign permissions/user roles for government employees and direct contractors which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), which combines the identity and authentication tools and capabilities used throughout the NIH enterprise. The IMS has its own approved PIA on record, including all legal authorities documented."
"Does the system collect, maintain, use or share PII?","Yes"
"Indicate the type of PII that the system will collect or maintain.","Name; E-Mail Address; Mailing Address; Phone Numbers; Employment Status; login Credentials; sex; demographic information"
"Indicate the categories of individuals about whom PII is collected, maintained or shared.","Employees; Public Citizens"
"How many individuals' PII is in the system?","500-4,999"
"For what primary purpose is the PII used?","The primary purpose of the PII being collected is to identify individual's scientific understanding of sex-related differences, and to assess course effectiveness and strategies for future course growth."
"Describe the secondary uses for which the PII will be used.","NA"
"Identify legal authorities governing information use and disclosure specific to the system and program.","42 USC 241 and 282 "
"Are records on the system retrieved by one or more PII data elements?","Yes"
"Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being use to cover the system or identify if a SORN is being developed.","OPM/GOVT-1, General Personnel Records; OPM/GOVT-6, Personnel Research and Test Validation Records; 09-25-0108, Personnel: Guest Researchers, SpecialVolunteers, and Scientists Emeriti,HHS/NIH/OHRM"
"Identify the sources of PII in the system.","Directly from an individual about whom the information pertains - Online; Government Sources - Within OpDiv; Non-Governmental Sources - Public"
"Identify the OMB information collection approval number and expiration date","ORWH is working to obtain an OMB information collection approval number."
"Is the PII shared with other organizations?","No"
"Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.","The Portal displays a warning page, including a Privacy Act Statement, informing individuals that personal information will be collected."
"Is the submission of PII by individuals voluntary or mandatory?","Voluntary"
"Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.","Individuals are not required to provide any personally identified information (PII) but if they don't provide any information then they will not be able to participate or use the Online ORWH trainings."
"Process to notify and obtain consent from individuals whose PII is in the system when major changes occur to the system.","In the case of majors changes to the scope of PII contained within the Portal, ORWH administrators would notify individuals by email. "
"Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate.","If an individual has concerns about how their PII is being obtained or used, they may reach out to the system owner or the ORWH division. ORWH administrators will then reach out via email."
"Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy.","The ORWH Application Portal has annual reviews of PII contained in the system, as well as audits of data logs to assure all information is accurate and relevant."
"Identify who will have access to the PII in the system and the reason why they require access.","Users: Have access to their own PII for managing their profile.; Administrators: Have access to perform their daily job duties and review data and surveys regarding the quality of the trainings.; Developers: Developers have limited access for system maintenance and developing system updates.; Contractors: Direct contractors have access to perform their daily job duties and review data and surveys regarding the quality of the trainings."
"Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.","Determinations are made based on Role based access controls and least privilege.  User rights are provisioned based on controls within the system, allowing users only access to the minimum amount of PII necessary to perform their job."
"Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.","Determinations are made based on Role based access controls and least privilege.  User rights are provisioned based on controls within the system, allowing users only access to the minimum amount of PII necessary to perform their job."
"Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.","The NIH Security Awareness Training course is used to satisfy this requirement. According to NIH policy, all personnel who use NIH applications must attend security awareness training every year.  There are five categories of mandatory IT training (Information Security, Counterintelligence, Privacy Awareness, Emergency Preparedness and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials."
"Describe training system users receive (above and beyond general security and privacy awareness training).","NA"
"Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?","Yes"
"Describe the process and guidelines in place with regard to the retention and destruction of PII.","Records are maintained in accordance with the following NARA record retention schedules:    General Records Schedule (GRS) 2.6.010, Non-mission employee training records; DAA-GRS-2016-0014-000. Destroy when 3 years old, or 3 years after superseded or obsolete, whichever is appropriate, but longer retention is authorized if required for business use."
"Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.","Administrative Controls:  System users are approved for access and permissions based on their functional role. Anyone with access to the system has been vetted and approved by management based on their job duties and need to have access.                                                                                                                                                                                                                                           Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.                                                                                                                                Physical Controls: For information that is pulled from CIT,  servers reside in the Center for Information Technology (CIT) Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room.  Once information is transferred over to ORWH and uploaded to servers residing in the Office of Information Technology (OIT) Data Center, policies and procedures are in place to restrict access to the machines."
"Identify the publicly-available URL:","https://orwh.od.nih.gov/career-development-education"
"Does the website have a posted privacy notice?","Yes"
"Is the privacy policy available in a machine-readable format?","Yes"
"Does the website use web measurement and customization technology?","Yes"
"Select the type of website measurement and customization technologies is in use and if it is used to collect PII.","Session Cookies that do not collect PII."
"Does the website have any information or pages directed at children uner the age of thirteen?","No"
"Does the website contain links to non- federal government websites external to HHS?","No"
