PIA Statement

PIA.pdf

Women In STEM High School Aerospace Scholars (WISH) Pilot Project

PIA Statement

OMB: 2700-0149

Document [pdf]

Download: pdf | pdf

NASA Privacy Impact Assessment (PIA) Analysis Worksheet

Section 1 - System Identification
a. System Name:

JSC AD - Women in STEM High School
Aerospace Scholars - http://TBD

(generally the name that the system is accessed by. www.nasa.gov, when Web
enabled, for example)

b. System Owner/Information Owner:
Person responsible for funding

c. System Manager:
Person responsible for technical operation

LINDA KAY. SMITH
Phone Number:281.483.7086
E-Mail:[email protected]
Valerie King
Phone Number: 281.483.5888
E-Mail: [email protected]

d. Person preparing IPTA/PIA:

Linda Smith
Phone Number: 281.483.7086
E-Mail: [email protected]

e. System Description:

On-line STEM learning experience for female high
school juniors

f. Mission Program/Project Supported:

Education Office/WISH

g. System Security Plan Number:

NN-001-M-JSC-9010

h. System Location:

Center:JSC
Street Address:2101 NASA Parkway
Building:
City:Houston
State:TX
ZIP:77062

(Center or contractor office building, room, city and state)

i. Status of the System:

Development

* As used in this document "System" means an organized collection of information which may encompass IT hardware systems,
applications, and databases. "System" may be an infrastructure, one or more applications, one or more databases, an electronic
information collection, or any combination thereof.

Page 1

Response

Comments

Section 2 - Privacy Impact Assessment Initial Screening
Must be completed for all systems.

a. Is this a new system or has any of
the major changes listed in the
Comments column occurred to the
system since the conduct of the last
IPTA/PIA?

New
System/Project
Previously not
assessed
Re-evaluation
Major Change

If Major Change selected, choose one of the
following
Conversions
Anonymous to Non-Anonymous
Significant System Management Changes
Significant Merging
New Public Access
Commercial Sources
Internal Flow or Collection
New Interagency Use
Alteration in Character of Data
Other (Describe):

b. Does this system/project relate solely
to an infrastructure?

Yes
No

If yes, how many applications currently reside
on infrastructure?

Page 2

Response
c. Does/Will the system contain (store)
information in identifiable form (IIF)
within any database(s), record(s), file(s)
or Web site(s) hosted by this system? If
yes, check all that apply in the
Comments column. If the category of
personal information is not listed,
please check Other and identify the
category.

Comments

Yes

Name

Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):

Page 3

Response
d. Indicate all the categories of
individuals about whom IIF is or will be
collected.

Comments
Categories of individuals:
Government Employees
NASA Contractors
Members of the public (excluding
contractors and partners)
Business Partners/Contacts, Grantees
(including, but not limited to federal, state, local
agencies)
Contractors/Vendors/Suppliers
Other:

e. Are/Will Records on 10 or more
members of the public containing IIF
[be] collected, maintained (stored), or
disseminated by this system?

Yes
No
NA

Section 3 - Records Management Assessment
a. Does/Will the system contain Federal
records?

Yes
No

b. If the system contains/will contain
Federal records, which disposition
authority applies?

NRRS

Retention Schedule: 10EDUC

GRS
Unknown or
not currently
scheduled
NA

c. Are the records in this system (or will
they be) generated in the process of
NASA program/project formulation,
design, development, or operation as
described in NPR 7120?
d. Are the records Vital records for the
organization?

Yes
No
NA
Yes
No
NA

Section 4 - Paperwork Reduction Act Assessment
a. Does/will the system collect
information in a standard way (forms,
web enabled forms, surveys,
questionnaires, etc) from members of
the public (including contractors),
regardless of format (paper, electronic
or oral)?

Yes
No

If yes, indicate format of collection:
Paper
Electronic
Oral

Page 4

Response
b. Is the information collection indicated
above authorized by an OMB Approval
Number under the Paperwork
Reduction Act (PRA)? If yes, please
provide PRA Approval Number under
Comments.

Comments

Yes

PRA OMB Approval Number:

Applied for

Unknown/Other

Section 5 - Privacy Act Requirements Assessment
a. Are records (or will records) on
individuals be routinely retrieved from
the system by using name or a unique
identifier?

Yes
No

If yes, indicate data elements used to retrieve
record:
Name
Date of birth
Social Security Number (or other number
originated by a government that specifically
identifies an individual)
Photographic identifiers (e.g., photograph
image, x-rays, and video)
Driver license
Biometric identifiers (e.g., fingerprint and
voiceprint)
Mother maiden name
Vehicle identifiers (e.g., license plates)
Mailing address
Phone numbers (e.g., phone, fax, and cell)
Medical records numbers
Medical notes
Financial account information and/or
numbers (e.g., checking account number and
Personal Identification Numbers [PIN])
Certificates (e.g., birth, death, and
marriage)
Legal documents or notes (e.g., divorce
decree, criminal records, or other)
Device identifiers (e.g., pacemaker, hearing
aid, or other)
Web Uniform Resource Locators (URL)
E-mail address
Education records
Military status and/or records
Employment status and/or records
Foreign activities and/or interests
Other (Describe):

Page 5

Response
b. Has a Privacy Act System of Records
Notice (SORN) been published in the
Federal Register for this system? If no,
choose the reason of why not or specify
other reason in the Comments column.

Yes
No
NA

Comments
IIF is in the system, but records are not
retrieved by individual identifier.
Should have published an SORN, but was
unaware of the requirement.
System is required to have an SORN but is
not yet procured or operational.
Other (Describe):

c. If a SORN has been published, have
major changes to the system occurred
since publication of the SORN?

Yes
No
NA

Section 6 - Information Sharing Practices
Note: If yes, specify resource(s) and purpose for each instance in the Comments column.

a. Is the IIF in the system voluntarily
submitted (or will it be)?

Yes
No
NA

b. Does/Will the system collect IIF
directly from individuals?

Yes
No
NA

c. Does/Will the system collect IIF from
other resources (i.e., databases, Web
sites, etc.)?

Yes
No
NA

d. Does/Will the system populate data
for other resources (i.e., do databases,
Web sites, or other resources rely on
this system's data)?

Yes

Resource and Purpose:

2
3
4
Other

e. Does/Will the system share or
disclose IIF with agencies external to
NASA, or other people or organizations
outside NASA?

Yes

With whom and for what purpose:

2
3
4
Other

Page 6

Response
f. If the IIF in the system is or will be
matched against IIF in one or more
other computer systems internal or
external to NASA, are (or will there be)
computer data matching agreement(s)
in place?

Yes
No

Comments
Location of other systems involved in
matching:
Internal to NASA

NA
External to NASA
Other systems involved in matching:

g. Will the IIF be de-identified,
aggregated, or otherwise made
anonymous?

h. Is there a process, either planned or
in place, to notify organizations or
systems that are dependent upon the
IIF contained in this system when
changes occur (i.e., revisions to IIF,
when the system encounters a major
change, or is replaced)?
i. Is there a process, either planned or
in place, to notify and obtain consent
from the individuals whose IIF is in the
system when major changes occur to
the system (e.g., disclosure and/or data
uses have changed since the notice at
the time of the original collection?
j. Is there (or will there be) a process in
place for individuals to choose how their
IIF is used?

Yes

De-identified

Aggregated

Anonymous

Yes
No
NA

Yes

Process:

No
NA

k. Is there (or will there be) a complaint
process in place for individuals who
believe that their IIF has been
inappropriately obtained, used, or
disclosed, or that the IIF is inaccurate?
l. Are there (or will there be) processes
in place for periodic reviews of IIF
contained in the system to ensure the
data's integrity, availability, accuracy,
and relevance?

Yes
No
NA
Yes
No
NA

Page 7

Response
m. Are there (or will there be) rules of
conduct in place for access to IIF on the
system?

Comments

Yes

Users

Administrators

Developers
Contractors
For what purpose:
1 Administrators manage program
2 Developers manage database
3
4
Other

n. Is there (or will there be) a process in
place to log routine and non-routine
disclosures and/or unauthorized
access?

Yes

Disclosures logged (check all apply):

Routine

Non-routine
Public Internet (Describe):

Section 7 - Web Site Hosting Practices
Note: If yes, identify what type of site the system hosts in the Comments column.If no or n/a, skip this section and start with
next section.

a. Does/Will the system have a Web
interface?

b. Is the Web site (or will it be)
accessible by the public or other entities
(i.e., federal, state, and local agencies,
contractors, third-party administrators,
etc.)?

Yes

Type of site (check all apply):

Public Internet (Describe): null

Internal NASA (Describe):

Yes

1 public

3
4

c. Is the Agency Web site privacy policy
statement posted (or will it be posted)
on the Web site?

Yes
No
NA

d. Is the Web site's privacy policy in
machine-readable format, such as
Platform for Privacy Preferences
(P3P)?

Yes

Implementation Plan:

No
NA

Page 8

Response
e. Does/Will the Web site employ
persistent tracking technologies?

Comments

Yes

Session cookies

Persistent cookies

Web bugs
Web beacons
Other (Describe):
Authorizing Official:
Authorizing Date:

f. Does/Will the Web site collect or
maintain personal information from or
about children under the age of 13?

Yes
No
NA

g. Does/Will the Web site collect or
maintain personal information from or
about children under the age of 13,
please indicate how the information is
collected?

What Information is collected:
How the information is collected (check all
apply):
Actively directly from the child
Passively through cookies

h. If the Web site does/will collect or
maintain personal information from or
about children under the age of 13, is
the information shared with any
non-NASA organizations, grantees,
universities, etc.?
i. If the Web site does/will collect or
maintain personal information from or
about children under the age of 13,
specify what method is used for
obtaining parental consent?

Yes

Information is shared with:

No
NA

Method used for obtaining parental consent
(check all apply):
No consent is obtained
Simple email
Email accompanied by digital signature
Signed form from the parent via postal mail
or facsimile
Accepting and verifying a credit card
number in connection with a transaction
Taking calls from parents, through a
toll-free telephone number staffed by trained
person

Page 9

Response
j. Does/Will the Web site collect IIF
electronically from any individuals?

Comments

Yes

Personal Information

Name

Page 10

Response
k. Does/Will the Web site provide a
PDF form to be completed with IIF from
any individuals and then mailed or
otherwise provided to NASA?

Comments

Yes

Personal Information

Name

l. Does/Will the Web site share IIF with
other organizations within NASA,
agencies external to NASA, or other
people or organizations outside NASA?

Yes

With whom Information is shared:

2
Other

Page 11

Response
m. Are rules of conduct in place (or will
they be in place) for access to IIF on
the Web site?

Comments

Yes

Users

Administrators

Developers
Contractors
For what purpose:
1 Administrators manage program
2 Developers manage data
3 Contractors same as Developers
4
Other

n. Does/Will the Web site contain links
to sites external to the Center that owns
and/or operates the system?

Yes

Disclaimer notice for all external links

No
NA

Section 8 - Administrative Controls
Note: If yes, enter the CA (Authorization to Operate (ATO)) date in the comments column. If no or the system is under
development and not yet authorized to operate the time of this PIA, please enter a planned CA timeline in the comments
column.

a. Has the system been certified and
accredited (authorized to operate): 'y' or
'n'?

Yes

CA Plan/Timeline:

No
NA

b. Have personnel (system owners,
managers, operators, contractors
and/or program managers) using the
system been (or will they be) trained
and made aware of their responsibilities
for protecting the IIF being collected
and maintained?

Yes
No
NA

c. Who has/will have access to the IIF
on the system?

Check all that apply
Users
Administrators
Developers
Contractors
Others

d. If contractors operate or use the
system, do the contracts include
clauses ensuring adherence to privacy
provisions and practices?

Yes
No
NA

Page 12

Response
e. Are methods in place to ensure that
access to IIF is restricted to only those
required to perform their official duties?

Yes
No

Comments
Method(s): Access not given to individuals who
do not need it.

NA
f. Are there policies or guidelines in
place for the retention and destruction
of IIF within the application/system?

Yes

Policies/Practices:

No
NA

Section 9 - Technical Controls
a. Are technical controls in place to
minimize the possibility of unauthorized
access, use, or dissemination of the
data in the system (or will there be)?

Yes
No
NA

b. Are any of the password controls
listed in the Comments column in place
(or will there be)?

Yes
No
NA

Check all that apply:
Passwords expire after a set period of time.
Accounts are locked after a set period of
inactivity.
Minimum length of passwords is eight
characters.
Passwords must be a combination of
uppercase, lowercase, and special characters.
Accounts are locked after a set number of
incorrect attempts.

c. Is there (or will there be) a process in
place to monitor and respond to privacy
and/or security incidents?

Yes
No
NA

Section 10 - Physical Controls
a. Are physical access controls in place
(or will they be)?

Yes
No
NA

Page 13

Privacy Impact Assessment (PIA) Summary
Date of this Submission: Jan 27, 2011
NASA Center: JSC
System Name: JSC AD - Women in STEM High School Aerospace Scholars - http://TBD
Is this application or information collection new or is an existing one being modified? Not New
Does this application collect, maintain, and/or disseminate information in identifiable form (IIF)? Yes
Mission Program/Project Supported: Education Office/WISH
Identifying Numbers (Use N/A, where appropriate)
Privacy Act System of Records Number: N/A
OMB Information Collection Approval Number and Expiration Date: N/A
Other Identifying Number(s): N/A

Description
1. Provide an overview of the application or collection and indicate the legislation authorizing
this activity:
This system distributes information to participants of a NASA administered project. The system
collects information on applicants, and handles homework assignments that are submitted by
participants.

2. Describe the information the agency will collect, maintain, or disseminate and how the
agency will use the information. In this description, indicate whether the information contains
IIF and whether submission is voluntary or mandatory:
The system collects and uses the following information: Student Names (IIF # Optional) # used to
identify the students throughout the program and to arrange for travel. Failure to provide data may
impair a student#s ability to qualify for enrollment in the educational program. Date of Birth (IIF #
Optional) # used to verify that students are eligible to participate in the program. Failure to provide
data may impair a student#s ability to qualify for enrollment in the educational program. Mailing
Address (IIF # Optional) # used to send program related documents to the students, arrange travel,
and log the legislative districts that are being serviced by the program. Failure to provide data may
impair a student#s ability to qualify for enrollment in the educational program. Phone Numbers (IIF #
Optional) # used to follow-up on student assignments, travel information, and as an emergency
contact number when the students are on-site during the summer. Failure to provide data may impair
a student#s ability to qualify for enrollment in the educational program. E-mail Address (IIF # Optional)
# used as the primary form of contact during the school-year when students are participating remotely.
Failure to provide data may impair a student#s ability to qualify for enrollment in the educational
program. Education Records (IIF # Optional) # used to ensure that the students are academically
eligible to participate in the program. Failure to provide data may impair a student#s ability to qualify
for enrollment in the educational program.

3. Explain how the IIF is collected, maintained, and/or disseminated is the minimum necessary
to accomplish the purpose for this effort:
All of the collected information stated above is necessary for the successful administration of this
program.

Page 14

4. Explain why the IIF is being collected, maintained, or disseminated:
Explained in Question number 2

5. Identify with whom the agency will share the IIF:
The agency shares no IIF with anyone outside of the agency with the exception of sharing with U.S.
Senators and Representatives the constituents' names and cities. Additionally summaries of
information, such as #state districts represented# may be published but do not contain personal
information regarding the students.

6. Describe how the IIF will be obtained, from whom it will be collected, what the suppliers of
the information and the subjects will be told about the information collection, and how this
message will be conveyed to them (e.g. written notice, electronic notice if a Web-based
collection). Describe any opportunities for consent provided to individuals regarding what
information is collected and how the information will be shared:
The IIF is obtained through online forms from high school juniors. The suppliers of the information are
notified of the JSC Web Accessibility and Policy Notices through a link at the bottom of each
Webpage. Suppliers of information are notified electronically at the time that they are inputting
information.

7. State whether the personal information will be collected from children under age 13 on the
Internet and, if so, how parental or guardian approval will be obtained. (Reference: Children's
Online Privacy Protection Act of 1998):
No information is collected from children under the age of 13.

8. Describe how the IIF will be secured:
All access to IIF is behind a password protected SSL location. Backup drives of the IIF are stored
offline behind physical security devices.

9. Describe plans for retention and desctruction on IIF:
All electronic IIF is stored in the same secure manner for a period of at least five years. Once the data
has been deemed unnecessary to maintain, it will be deleted. Retention Schedule: Schedule 1 Item 32
Sub-Item A

10. Identify whether a system of records is being created under section 552a of Title 5, United
States Code (the Privacy Act), or identify the existing Privacy Act system of records notice
under which the records will be maintained:
The system is covered under 10EDUC. The following decisions resulted from conducting the PIA: #1.
IIF access rules of conduct will be established.

Page 15

Point of contact to whom a member of the public can address questions concerning this
information system and the privacy concerns associated with it:

Page 16

Concur:

Concurrence Credentials on File

LINDA KAY. SMITH
System Owner

JOREEN YU. LEE
Center Privacy Manager

Date:

Concur:

Approve:

Concurrence Credentials on File
BRYAN D. MCCALL
NASA Privacy Program Manager

LINDA Y. CURETON
NASA CIO

Date:

Date

Page 17

Document History
Date

Action

Message

10/25/10

Delegated to:LINDA SMITH

Please revise. Thanks.

10/22/10

Delegated to:JOREEN LEE

Furhter changes based on review.

Page 18

File Type	application/pdf
File Modified	0000-00-00
File Created	0000-00-00