The C&E Team looked at the IIF you
listed in question 19 and we feel this does NOT constitute a “unique
identifier”. We will process the ABC PIA promptly and notify you when it’s
promoted.
Compliance & Education Analyst (1)
Lockheed Martin (contractor)
Office of the Chief Information Security
Officer
Centers for Disease Control and Prevention
[email protected]
From:
Sent: Wednesday, April 30,
2008 10:58 AM
To:
Subject: RE: SORN for
ABC
Yes, but statement 3 in
the section "Does the Privacy Act apply to all records in which individually
identified data are collected?" for considering factors referring to
the primary method by
which the data will be retrieved reads - The Privacy Act applies if data are
retrieved by name or SSN; but if data are primarily retrieved by another
variable, the Privacy Act does not apply. Then gives an an
example.
I did refer to the
section describing the SORN, but that does not resolve the conflicting
statements as to whether the system is subject to the Privacy Act. The
data are not retrieved by any identifier.
From:
Sent: Wednesday, April 30, 2008 10:29
AM
To:
Subject: SORN for
ABC
Carolyn,
I’m very familiar with the document you
provided. The term "system
of records" refers to a group of records under the control of a Federal agency
from which information is
retrieved by the name of the individual, identifying number, or some other
identifying particular.
If you checked any
IIF items in question 17 of the PIA then yes it’s subject to the Privacy
Act (question 21).
A SORN is based on
the system description and
you can choose from CDC and HHS SORNS. See the link below.
Compliance & Education Analyst (1)
Lockheed Martin (contractor)
Office of the Chief Information Security
Officer
Centers for Disease Control and Prevention
[email protected]
From:
Sent: Tuesday, April 29, 2008
11:23 AM
To:
Subject: FW:
It is my understanding,
based on the documented guidelines for determining if the Privacy Act
applied to a system, that unless the
primary method for data retrieval is by SSN or name, the Privacy Act
does not apply. Therefore a SORN was not required. Though the
system does collect date of birth for individual cases, case data are retrieved
and analyzed in aggregate form based on the year of first positive culture, not
DOB.
The guidelines also
stated that the Privacy Act was not applicable to data collections performed by
cooperative agreement holders. All states participating in ABCs data
collection activities are cooperative agreement holders.
Please let me know if
this is not the case. The link to the document I am referencing is http://intranet.cdc.gov/od/ocso/osrs/privacy/guidelin.htm
Carolyn
Wright
NCIRD
Division of Bacterial
Diseases
Respiratory Diseases
Branch
(404)
639-1263
From:
Sent: Tuesday, April 29, 2008 10:41
AM
To:
Subject:
Carolyn,
You answered yes to question 17 which mean
you have to answer yes to question 21 because IIF is part of the Privacy Act.
Question 4 is missing a SORN. Please go to
the link I provided below and select one SORN. You may choose from a CDC or HHS
SORN. A SORN is based on the system description.
http://www.hhs.gov/foia/privacy/index.html#SORNSs
Compliance & Education Analyst (1)
Lockheed Martin (contractor)
Office of the Chief Information Security
Officer
Centers for Disease Control and Prevention
[email protected]
| File Type | text/html |
| File Modified | 0000-00-00 |
| File Created | 0000-00-00 |