06.1 HHS Privacy Impact Assessment (Form) / [NIOSH Dose Reconstruction System] |
Primavera ProSight |
|
|
PIA SUMMARY |
1 |
|
The following required questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to the Office of Management and Budget (OMB) and public posting in accordance with OMB Memorandum (M) 03-22. |
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If no personally identifiable information (PII) is contained in the system, please answer questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will authorize the PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion. |
2 |
Summary of PIA Required Questions |
*Is this a new PIA?: |
Yes |
If this is an existing PIA, please provide a reason for revision: |
|
*1. Date of this Submission: |
05/01/2009 |
*2. OPDIV Name: |
NIOSH/OCAS |
*3. Unique Project Identifier (UPI) Number for current fiscal year: |
009-20-01-05-02-9522-00 |
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): |
Privacy Act System Notice 09-20-0147 |
*5. OMB Information Collection Approval Number: |
OMB No. 0920-0530 |
*6. Other Identifying Number(s): |
|
*7. System Name (Align with system item name): |
NIOSH Dose Reconstruction System |
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
Leroy Turner |
|
|
|
|
|
Point of Contact Information |
|
|
|
POC Name Leroy Turner |
|
|
|
|||
*10. Provide an overview of the system: |
NIOSH established the Office of Compensation Analysis and Support (OCAS) to assist with implementing a program created by the Energy Employees Occupational Illness Compensation Program Act of 2000 (EEOICPA or The Act) which provides compensation and medical benefits for nuclear weapons workers who may have developed certain work-related illnesses. OCAS works closely with the Department of Energy (DOE), Department of Labor (DOL), and the Department of Justice (DOJ). The mission of the NIOSH Dose Reconstruction System is to determine eligibility for compensation and support the process of and track claims for compensation and medical benefits from the Department of Labor (DOL) for government nuclear weapons workers under the EEOICPA for radiation dose reconstruction. |
*13. Indicate if the system is new or an existing one being modified: |
Existing |
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?: |
Yes |
Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. |
The following information in identifiable form is submitted by claimants and/or their families is collected by the system: Date of Birth SSN Photographic Identifiers Drivers License Biometric Identifiers Mother's Maiden Name Mailing Address Phone Number Medical Notes Medical Records Numbers Legal Documents Device Identifiers Web URLs Email Address Education Records Military Status Employment Status Other: Financial Information related to claims processing |
*21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): |
Yes Privacy Act System Notice 09-20-0147 |
*23. If the system shares or discloses PII, please specify with whom and for what purpose(s): |
|
*30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: |
The system collects PII information that is submitted by former government nuclear weapons workers and/or their families under the EEOICPA to facilitate radiation dose reconstruction to determine eligibility so that a claim for compensation and medical benefits can be filed with the Department of Labor. The mandatory PII information that we collect, maintain and disseminate, (name, date of birth, social security number, mailing address, phone number, medical records numbers, medical notes, legal documents, e-mail address, and employment status) is used to perform dose reconstruction under EEOICPA and other analysis required to process financial claims brought against the US government by individual claimants. |
*31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) |
There is no process to notify affected individuals when any system changes are made.
All PII contained in this system had previously been collected by the site where the individual worked. Release of their PII at that time was a condition of employment. Claimants under the EEOICPA act sign a Privacy Act advisement that provides notice that the project will store and use their PII data.
Department of Energy personnel access the Site Research Database (SRDB) to determine if there are any classification issues with the documents being stored. Upon request, we provide documents to the Department of Labor to support EEOICPA, Part E – chemical exposure. Documents that are accessed may contain PII data.
|
*32. Does the system host a website?: |
No |
*37. Does the website have any information or pages directed at children under the age of thirteen?: |
No |
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): |
Yes |
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: |
A unique ID and password is required to access the information on the CDC network. All users on the CDC network are required to take Privacy Act training prior to being granted access.
This is covered in DOSEREC Computer Security Plan and NIOSH Dose Reconstruction System Policies and Procedures Guide |
PIA REQUIRED INFORMATION |
1 |
HHS Privacy Impact Assessment (PIA) |
The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of PII, what is done with that information, and how that information is protected. Systems with PII are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act. Respective Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system. Please note that answers to questions with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22. |
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. |
2 |
General Information |
*Is this a new PIA?: |
Yes |
If this is an existing PIA, please provide a reason for revision: |
|
*1. Date of this Submission: |
03/XX/09 |
*2. OPDIV Name: |
NIOSH/OCAS |
*3. Unique Project Identifier (UPI) Number for current fiscal year: |
009-20-01-05-02-9522-00 |
If the system does not have a UPI, please explain why it does not: |
|
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): |
Privacy Act System Notice 09-20-0147 |
*5. OMB Information Collection Approval Number: |
OMB No. 0920-0530 |
OMB Collection Approval Number Expiration Date: |
Exp. Date 1/31/09 |
*6. Other Identifying Number(s): |
|
*7. System Name: (Align with system item name) |
NIOSH Dose Reconstruction System |
8. System Location: (OPDIV or contractor office building, room, city, and state) |
OPDIV, Taft Laboratory, 4676 Columbia Parkway, Cincinnati, Ohio Room 208 |
|
|
|
|
|
System Location: |
|
|
|
OPDIV or contractor office building OPDIV, NIOSH _Taft Laboratory, 4676 Columbia Parkway |
|
|
|
Room 208 |
|
|
|
City Cincinnati |
|
|
|
State Ohio |
|
|
|
|||
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
Leroy Turner |
|
|
|
|
|
Point of Contact Information |
|
|
|
POC Name Leroy Turner |
|
|
|
|||
|
The following information will not be made publicly available: |
|
|
|
|
|
|
POC Title IT Team Leader |
|
|
|
POC Organization NIOSH/OCAS |
|
|
|
POC Phone 513-533-6811 |
|
|
|
POC Email [email protected] |
|
|
|
|||
*10. Provide an overview of the system: |
NIOSH established the Office of Compensation Analysis and Support (OCAS) to assist with implementing a program created by the Energy Employees Occupational Illness Compensation Program Act of 2000 (EEOICPA or The Act) which provides compensation and medical benefits for nuclear weapons workers who may have developed certain work-related illnesses. OCAS works closely with the Department of Energy (DOE), Department of Labor (DOL), and the Department of Justice (DOJ). The mission of the NIOSH Dose Reconstruction System is to determine eligibility for compensation and support the process of and track claims for compensation and medical benefits from the Department of Labor (DOL) for government nuclear weapons workers under the EEOICPA for radiation dose reconstruction. |
SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION |
1 |
System Characterization and Data Configuration |
11. Does HHS own the system?: |
Yes |
If no, identify the system owner: |
|
12. Does HHS operate the system?: |
Yes |
If no, identify the system operator: |
|
*13. Indicate if the system is new or an existing one being modified: |
Existing |
14. Identify the life-cycle phase of this system: |
Operation/Maintenance |
15. Have any of the following major changes occurred to the system since the PIA was last submitted?: |
|
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Conversions |
Yes |
|
|
Anonymous to Non-Anonymous |
No |
|
|
Significant System Management Changes |
No |
|
|
Significant Merging |
No |
|
|
New Public Access |
No |
|
|
Commercial Sources |
No |
|
|
New Interagency Uses |
Yes |
|
|
Internal Flow or Collection |
No |
|
|
Alteration in Character of Data |
No |
|
|
|||
16. Is the system a General Support System (GSS), Major Application (MA) or Minor Application?: |
General Support System |
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?: |
Yes |
Note: This question seeks to identify any, and all, personal information associated with the system. This includes any PII, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or whether it is personal information about business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. |
The following information in identifiable form is submitted by claimants and/or their families is collected by the system: Date of Birth SSN Photographic Identifiers Drivers License Biometric Identifiers Mother's Maiden Name Mailing Address Phone Number Medical Notes Medical Records Numbers Legal Documents Device Identifiers Web URLs Email Address Education Records Military Status Employment Status Other: Financial Information related to claims processing |
|
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. |
|
|
|
|
|
|
Categories: |
Yes/No |
|
|
Name |
Yes |
|
|
Date of Birth |
Yes |
|
|
Social Security Number (SSN) |
Yes |
|
|
Photographic Identifiers |
Yes |
|
|
Driver’s License |
Yes |
|
|
Biometric Identifiers |
Yes |
|
|
Mother’s Maiden Name |
Yes |
|
|
Vehicle Identifiers |
No |
|
|
Mailing Address |
Yes |
|
|
Phone Numbers |
Yes |
|
|
Medical Records Numbers |
Yes |
|
|
Medical Notes |
Yes |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
Yes |
|
|
Device Identifiers |
Yes |
|
|
Web Uniform Resource Locator(s) (URL) |
Yes |
|
|
Email Address |
Yes |
|
|
Education Records |
Yes |
|
|
Military Status |
Yes |
|
|
Employment Status |
Yes |
|
|
Foreign Activities |
No |
|
|
Other: Financial information related to claims processing |
Yes |
|
|
|||
|
18. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated and/or passed through. Note: If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other is not applicable). |
|
|
|
|
|
|
Categories: |
Yes/No |
|
|
Employees |
Yes |
|
|
Public Citizen |
Yes |
|
|
Patients |
Yes |
|
|
Business partners/contacts (Federal, state, local agencies) |
Yes |
|
|
Vendors/Suppliers/Contractors |
Yes |
|
|
Other |
No |
|
|
|||
19. Are records on the system retrieved by one or more data elements?: |
|
|
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. |
|
|
|
|
|
|
Categories: |
Yes/No |
|
|
Name |
Yes |
|
|
Date of Birth |
Yes |
|
|
SSN |
Yes |
|
|
Photographic Identifiers |
Yes |
|
|
Driver’s License |
Yes |
|
|
Biometric Identifiers |
Yes |
|
|
Mother’s Maiden Name |
Yes |
|
|
Vehicle Identifiers |
No |
|
|
Mailing Address |
Yes |
|
|
Phone Numbers |
Yes |
|
|
Medical Records Numbers |
Yes |
|
|
Medical Notes |
Yes |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
Yes |
|
|
Device Identifiers |
Yes |
|
|
Web URLs |
Yes |
|
|
Email Address |
Yes |
|
|
Education Records |
Yes |
|
|
Military Status |
Yes |
|
|
Employment Status |
Yes |
|
|
Foreign Activities |
No |
|
|
Other: Financial information related to claims processing |
Yes |
|
|
|||
20. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?: |
Yes |
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21 must be Yes and a SORN number is required for Q.4): |
Yes Privacy Act System Notice 09-20-0147 |
21 A. If yes, but a SORN has not been created, please provide an explanation: |
|
INFORMATION SHARING PRACTICES |
1 |
Information Sharing Practices |
22. Does the system share or disclose PII with other divisions within this agency, external agencies, or other people or organizations outside the agency?: |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Name |
Yes |
|
|
Date of Birth |
Yes |
|
|
SSN |
Yes |
|
|
Photographic Identifiers |
No |
|
|
Driver’s License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother’s Maiden Name |
Yes |
|
|
Vehicle Identifiers |
No |
|
|
Mailing Address |
Yes |
|
|
Phone Numbers |
Yes |
|
|
Medical Records Numbers |
Yes |
|
|
Medical Notes |
Yes |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
Yes |
|
|
Device Identifiers |
Yes |
|
|
Web URLs |
Yes |
|
|
Email Address |
Yes |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
Yes |
|
|
Foreign Activities |
No |
|
|
Other |
No |
|
|
|||
*23. If the system shares or discloses PII please specify with whom and for what purpose(s): |
|
24. If the PII in the system is matched against PII in one or more other computer systems, are computer data matching agreement(s) in place?: |
No |
25. Is there a process in place to notify organizations or systems that are dependent upon the PII contained in this system when major changes occur (i.e., revisions to PII, or when the system is replaced)?: |
Yes |
26. Are individuals notified how their PII is going to be used?: |
Yes |
If yes, please describe the process for allowing individuals to have a choice. If no, please provide an explanation: |
Claimants sign a Privacy Act advisement that provides notice that their data will be used on this project. |
27. Is there a complaint process in place for individuals who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate?: |
No |
If yes, please describe briefly the notification process. If no, please provide an explanation: |
These data are collected from documents which have been released by the associated site. They contain PII data that are collected as a requirement for employment at that site. |
28. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s integrity, availability, accuracy and relevancy?: |
Yes |
If yes, please describe briefly the review process. If no, please provide an explanation: |
Documents are reviewed for the presence of dosimetry data. When such data are found, it is keyed into the Site Research Database (Site Research Database (SRDB)), along with other PII data. At that time, the NIOSH Claims Tracking System (NOCTS) database is queried to determine if the individual is a claimant. If so, the data are compared against NOCTS for accuracy. If inconsistencies are found, we notify the appropriate personnel in NIOSH for resolution. |
29. Are there rules of conduct in place for access to PII on the system?: |
Yes |
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to have access: |
|
|
|
|
||
|
Users with access to PII |
Yes/No/N/A |
Purpose |
|
|
User |
Yes |
To perform dose reconstruction under EEOICPA to determine eligibility for compensation. |
|
|
Administrators |
Yes |
Troubleshooting |
|
|
Developers |
Yes |
Troubleshooting |
|
|
Contractors |
Yes |
To perform dose reconstruction under EEOICPA to determine eligibility for compensation. |
|
|
Other |
N/A |
N/A |
|
|
||||
*30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) in this description, explicitly indicate whether the information contains PII; and (4) whether submission of personal information is voluntary or mandatory: |
The system collects PII information that is submitted by former government nuclear weapons workers and/or their families under the EEOICPA to facilitate radiation dose reconstruction to determine eligibility so that a claim for compensation and medical benefits can be filed with the Department of Labor. The mandatory PII information that we collect, maintain and disseminate, (name, date of birth, social security number, mailing address, phone number, medical records numbers, medical notes, legal documents, e-mail address, and employment status) is used to perform dose reconstruction under EEOICPA and other analysis required to process financial claims brought against the US government by individual claimants. |
*31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) notify and obtain consent from individuals regarding what PII is being collected from them; and (3) how the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) |
There is no process to notify affected individuals when any system changes are made.
All PII contained in this system had previously been collected by the site where the individual worked. Release of their PII at that time was a condition of employment. Claimants under the EEOICPA act sign a Privacy Act advisement that provides notice that the project will store and use their PII data.
Department of Energy personnel access the Site Research Database (SRDB) to determine if there are any classification issues with the documents being stored. Upon request, we provide documents to the Department of Labor to support EEOICPA, Part E – chemical exposure. Documents that are accessed may contain PII data.
|
WEBSITE HOSTING PRACTICES |
1 |
Website Hosting Practices |
*32. Does the system host a website?: |
No |
|
|
|
|
|
Please indicate “Yes” or “No” for each type of site below: |
Yes/ No |
|
|
Internet |
No |
|
|
Intranet |
Yes |
|
|
Both |
No |
|
|
|||
33. Is the website accessible by the public or other entities (i.e., Federal, state, and/or local agencies, contractors, third party administrators, etc.)?: |
No |
34. Is a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) posted on the website?: |
Yes |
35. Is the website’s privacy policy in machine-readable format, such as Platform for Privacy Preferences (P3P)?: |
Yes |
If no, please indicate when the website will be P3P compliant: |
|
36. Does the website employ tracking technologies?: |
No |
|
|
|
|
|
Please indicate “Yes”, “No”, or “N/A” for each type of cookies below: |
Yes/No/N/A |
|
|
Web Bugs |
No |
|
|
Web Beacons |
No |
|
|
Session Cookies |
No |
|
|
Persistent Cookies |
No |
|
|
Other |
No |
|
|
|||
*37. Does the website have any information or pages directed at children under the age of thirteen?: |
No |
If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information is collected?: |
|
38. Does the website collect PII from individuals?: |
No |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Name |
No |
|
|
Date of Birth |
No |
|
|
SSN |
No |
|
|
Photographic Identifiers |
No |
|
|
Driver's License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother's Maiden Name |
No |
|
|
Vehicle Identifiers |
No |
|
|
Mailing Address |
No |
|
|
Phone Numbers |
No |
|
|
Medical Records Numbers |
No |
|
|
Medical Notes |
No |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
No |
|
|
Device Identifiers |
No |
|
|
Web URLs |
No |
|
|
Email Address |
No |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
No |
|
|
Foreign Activities |
No |
|
|
Other |
No |
|
|
|||
39. Are rules of conduct in place for access to PII on the website?: |
Yes |
40. Does the website contain links to sites external to the OPDIV that owns and/or operates the system?: |
No |
If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by the OPDIV.: |
|
ADMINISTRATIVE CONTROLS |
1 |
Administrative Controls |
Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws when referencing security requirements. |
2 |
|
41. Has the system been certified and accredited (C&A)?: |
No |
41a. If yes, please indicate when the C&A was completed: |
|
41b. If a system requires a C&A and no C&A was completed, is a C&A in progress?: |
Yes |
42. Is there a system security plan for this system?: |
Yes |
43. Is there a contingency (or backup) plan for the system?: |
Yes |
44. Are files backed up regularly?: |
Yes |
45. Are backup files stored offsite?: |
Yes |
46. Are there user manuals for the system?: |
Yes |
47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their responsibilities for protecting the information being collected and maintained?: |
Yes |
48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices?: |
Yes |
49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?: |
Yes |
If yes, please specify method(s).: |
Microsoft Windows Security Groups in Active Directory |
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): |
Yes |
If yes, please provide some detail about these policies/practices.: |
There is a CDC policy guide titled CDC Staff Manual on Confidentiality, which covers this subject in detail. http://cin.niosh.cdc.gov/welcome/orientation/Confidentiality%20Booklet.pdf |
TECHNICAL CONTROLS |
1 |
Technical Controls |
51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system?: |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
User Identification |
Yes |
|
|
Passwords |
Yes |
|
|
Firewall |
Yes |
|
|
Virtual Private Network (VPN) |
Yes |
|
|
Encryption |
In-Process |
|
|
Intrusion Detection System (IDS) |
No |
|
|
Common Access Cards (CAC) |
No |
|
|
Smart Cards |
In-process |
|
|
Biometrics |
No |
|
|
Public Key Infrastructure (PKI) |
No |
|
|
|||
52. Is there a process in place to monitor and respond to privacy and/or security incidents?: |
Yes |
If yes, please briefly describe the process: |
There is a CDC policy guide titled CDC Staff Manual on Confidentiality, which covers this subject in detail. http://cin.niosh.cdc.gov/welcome/orientation/Confidentiality%20Booklet.pdf CDC Incident Response Plan http://intranet.cdc.gov/ociso/incidents/SBU-CDC_Incident_Response_Plan_v2_0b.pdf |
PHYSICAL ACCESS |
1 |
Physical Access |
53. Are physical access controls in place?: |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Guards |
Yes |
|
|
Identification Badges |
Yes |
|
|
Key Cards |
Yes |
|
|
Cipher Locks |
No |
|
|
Biometrics |
No |
|
|
Closed Circuit TV (CCTV) |
Yes |
|
|
|||
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls.: |
A unique ID and password is required to access the information on the CDC network. All users on the CDC network are required to take Privacy Act training prior to being granted access.
This is covered in DOSEREC Computer Security Plan and NIOSH Dose Reconstruction System Policies and Procedures Guide
IIF is collected and the proper controls are utilized to safeguard sensitive information.
E-Authentication Assurance Level = N/A
Risk Analysis Date = May 1, 2009
|
APPROVAL/DEMOTION |
1 |
System Information |
System Name: |
|
2 |
PIA Reviewer Approval/Promotion or Demotion |
Promotion/Demotion: |
|
Comments: |
|
Approval/Demotion Point of Contact: |
|
Date: |
|
3 |
Senior Official for Privacy Approval/Promotion or Demotion |
Promotion/Demotion: |
|
Comments: |
|
4 |
OPDIV Senior Official for Privacy or Designee Approval |
Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it |
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date): |
Name: __________________________________ Date: ________________________________________ |
|
|
|
|
|
Name: |
|
|
|
Date: |
|
|
|
|||
5 |
Department Approval to Publish to the Web |
Approved for web publishing |
|
Date Published: |
|
Publicly posted PIA URL or no PIA URL explanation: |
|
% COMPLETE |
1 |
PIA Completion |
PIA Percentage Complete: |
|
PIA Missing Fields: |
|
| File Type | application/msword |
| File Title | Primavera ProSight Report |
| Author | Sophia Shih |
| Last Modified By | Bigham, Jane E. (CDC/NIOSH/OD) |
| File Modified | 2011-11-21 |
| File Created | 2011-11-21 |