Apendices for SSA

Appendix for CareerTrac Supporting Statement 9.26.2012.doc

FIC CareerTrac

Apendices for SSA

OMB: 0925-0568

Document [doc]
Download: doc | pdf




Attachments to the Supporting Statement
for

CareerTrac


Paperwork Reduction Act Submission





Table of Contents



Attachment 1: Authorizing Legislation page 3

Attachment 2: Privacy Impact Assessment page 4

Attachment 3: : Comment and Response to 60 day Notice page 23



ATTACHMENT 1: Authorizing Legislation



TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part E, subpart 2, Sec. 287b


The general purpose of the John E. Fogarty International Center for Advanced Study in the Health Sciences is to:


(1) facilitate the assembly of scientists and others in the biomedical, behavioral, and related fields for discussion, study, and research relating to the development of health science internationally;


(2) provide research programs, conferences, and seminars to further international cooperation and collaboration in the life sciences;


(3) provide postdoctorate fellowships for research training in the United States and abroad and promote exchanges of senior scientists between the United States and other countries;


(4) coordinate the activities of the National Institutes of Health concerned with the health sciences internationally; and


(5) receive foreign visitors to the National Institutes of Health.





TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 12, Sec. 285l


The general purpose of the National Institute of Environmental Health Sciences (in this subpart referred to as the "Institute") is the conduct and support of research, training, health information dissemination, and other programs with respect to factors in the environment that affect human health, directly or indirectly.





TITLE 42 CHAPTER 6A, SUBCHAPTER III, Part C, subpart 11, Sec 285k

The general purpose of the National Institute of General Medical Sciences is the conduct and support of research, training, and, as appropriate, health information dissemination, and other programs with respect to general or basic medical sciences and related natural or behavioral sciences which have significance for two or more other national research institutes or are outside the general area of responsibility of any other national research institute.



TITLE 42 CHAPTER 6A, SUBCHAPTER III, Part D, subpart 2, Sec. 286b-3

 

The Secretary shall make grants—


  1. to individuals to enable them to accept traineeships and fellowships leading to postbaccalaureate academic degrees in the field of medical library science, in related fields pertaining to sciences related to health, or in the field of the communication of information;


  1. to individuals who are librarians or specialists in information on sciences relating to health, to enable them to undergo intensive training or retraining so as to attain greater competence in their occupations (including competence in the fields of automatic data processing and retrieval);


  1. to assist appropriate public and private nonprofit institutions in developing, expanding, and improving training programs in library science and the field of communications of information pertaining to sciences relating to health; and


  1. to assist in the establishment of internship programs in established medical libraries meeting standards which the Secretary shall prescribe.


ATTACHMENT 2: Privacy Impact Assessment



06.1 HHS Privacy Impact Assessment (Form) / NIH NIEHS Career Trac [System] (Item)

Primavera ProSight

Form Report, printed by: Minneman, Kim, Sep 6, 2012



PIA SUMMARY


1


The following required questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to the Office of Management and Budget (OMB) and public posting in accordance with OMB Memorandum (M) 03-22.

Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of personally identifiable information (PII). If no PII is contained in the system, please answer questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will authorize the PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

2

Summary of PIA Required Questions

*Is this a new PIA?

No

If this is an existing PIA, please provide a reason for revision:

PIA Validation

*1. Date of this Submission:

Aug 30, 2012

*2. OPDIV Name:

NIH

*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0014

*5. OMB Information Collection Approval Number:

0925-0568

*6. Other Identifying Number(s):

None

*7. System Name (Align with system item name):

NIEHS CareerTrac

*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:





Point of Contact Information




POC Name

Christie H. Drew



*10. Provide an overview of the system:

CareerTrac is a trainee tracking and evaluation system for several NIH Institutes. The goal of this system is to track long-term trainee outcomes for specific trainees supported by NIEHS, FIC and NLM. The system allows extramural and intramural PIs to track trainee's accomplishments. Most extramural PIs are required to track outcomes for 10 years as a condition of their grant award. We will use the system to conduct assessments and evaluations on trainee productivity, career outcomes, and successes. CareerTrac is a collaborative database used by multiple ICs, including NIEHS, FIC and NLM. This PIA covers all ICs. As new partners join the system, we will update the PIA accordingly.

*13. Indicate if the system is new or an existing one being modified:

Existing

*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?

TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary tab.)

Yes

17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17 should be No and only the PIA Summary must be completed.

No

*19. Are records on the system retrieved by 1 or more PII data elements?

Yes

*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4)

Yes

*23. If the system shares or discloses PII, please specify with whom and for what purpose(s):

NIH evaluation staff for review and evaluations; intramural and university principal investigators and their administrators responsible for data entry.

*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

(1) The system will collect, track, and report on information about NIH-supported trainees, such as trainee name, contact information, biographical information, training information, and subsequent career information. The system also supports tracking of trainees' accomplishments, such as fellowships, awards, employment, education, product of policy development, publications, funding received, presentations at conferences, and students mentored.

(2) The agency will use this information to evaluate the long-term outcomes of training program investments and make recommendations for improvement. The information may be aggregated for reporting purposes to other organizations, such as DHHS, Congress and other organizations interested in training investments and outcomes.

(3) The information contains PII.

(4) Submission of personal information is mandatory for trainees who are officially appointed to Institutional training grant programs supported by NIH, but is voluntary for trainees who are supported by grants that do not require formal appointments through X-Train.

*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]):

(1) None

(2) Trainees who are officially appointed to the program via X-Train are aware that NIH collects data about them, based on the conditions of their awards. For all other trainees entered into the system, CareerTrac will provide an electronic notification to trainees about the purpose of the data and how it will be used and shared. We request that trainees read the Privacy Act Disclosure and sign a Certificate of Acceptance form, which is clearly documented in CareerTrac.

(3) The agency will use this information to evaluate the long-term outcomes of training program investments and make recommendations for improvement. The information may be aggregated for reporting purposes to other organizations, such as DHHS, Congress and other organizations interested in training investments and outcomes.

*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII)

Yes

*37. Does the website have any information or pages directed at children under the age of thirteen?

No

*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN)

Yes

*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

The following safeguards are implemented in order to protect the information collected through CareerTrac. Regular access to the information is limited to NIH employees, contractor employees, or principal investigators and their administrators who are conducting, reviewing or contributing to the system. Other access will be granted only on a case-by-case basis, consistent with the restrictions, as authorized by the system manager or designated responsible official.

Administrative Control: CareerTrac has a system security plan and backup plan. The files are backed-up regularly and maintained in a secure location.

Technical Control: ES Career Trac is securely hosted behind the NIEHS/NIH firewall. Passwords are encrypted and changed regularly. PIs and their administrators can only view records from trainees supported by their grants. NIEHS maintains appropriate physical, electronic, and procedural safeguards to ensure the security, integrity, and privacy of trainee's information.

Physical access controls are in place for CareerTrac. Records are stored in locked containers in areas which are not accessible to unauthorized users, and in facilities which are locked and guarded. Sensitive records are not left exposed to unauthorized persons at any time.

PIA REQUIRED INFORMATION


1

HHS Privacy Impact Assessment (PIA)

The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of PII, what is done with that information, and how that information is protected. Systems with PII are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act. Respective Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system. Please note that answers to questions with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22.

Note: If a question or its response is not applicable, please answer “N/A” to that question where possible.

2

General Information

*Is this a new PIA?

No

If this is an existing PIA, please provide a reason for revision:

PIA Validation

*1. Date of this Submission:

Aug 30, 2012

*2. OPDIV Name:

NIH

3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the System Inventory form, UPI table):


*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0014

*5. OMB Information Collection Approval Number:

0925-0568

5a. OMB Collection Approval Number Expiration Date:

Sep 30, 2012

*6. Other Identifying Number(s):

None

*7. System Name: (Align with system item name)

NIEHS CareerTrac

8. System Location: (OPDIV or contractor office building, room, city, and state)





System Location:




OPDIV or contractor office building

NIEHS Rall Building



Room

A-363



City

Durham



State

NC



*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:





Point of Contact Information




POC Name

Christie H. Drew



The following information will not be made publicly available:





POC Title

Chief, Program Analysis Branch



POC Organization

NIH/NIEHS/DERT/PAB



POC Phone

919-541-3319



POC Email

[email protected]



*10. Provide an overview of the system: (Note: The System Inventory form can provide additional information for child dependencies if the system is a GSS)

CareerTrac is a trainee tracking and evaluation system for several NIH Institutes. The goal of this system is to track long-term trainee outcomes for specific trainees supported by NIEHS, FIC and NLM. The system allows extramural and intramural PIs to track trainee's accomplishments. Most extramural PIs are required to track outcomes for 10 years as a condition of their grant award. We will use the system to conduct assessments and evaluations on trainee productivity, career outcomes, and successes. CareerTrac is a collaborative database used by multiple ICs, including NIEHS, FIC and NLM. This PIA covers all ICs. As new partners join the system, we will update the PIA accordingly.

SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION


1

System Characterization and Data Configuration

11. Does HHS own the system?

Yes

11a. If no, identify the system owner:


12. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No)

Yes

12a. If no, identify the system operator:


*13. Indicate if the system is new or an existing one being modified:

Existing

14. Identify the life-cycle phase of this system:

Implementation

15. Have any of the following major changes occurred to the system since the PIA was last submitted?

Yes





Please indicate “Yes” or “No” for each category below:

Yes/No



Conversions

Yes



Anonymous to Non-Anonymous

No



Significant System Management Changes

No



Significant Merging

Yes



New Public Access

No



Commercial Sources

No



New Interagency Uses

No



Internal Flow or Collection

No



Alteration in Character of Data

No



16. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or Minor Application (stand-alone)?

Minor Application (child)

*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system?

Yes

TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary tab.)

Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII.





Categories:

Yes/No



Name (for purposes other than contacting federal employees)

Yes



Date of Birth

No



Social Security Number (SSN)

No



Photographic Identifiers

No



Driver’s License

No



Biometric Identifiers

No



Mother’s Maiden Name

No



Vehicle Identifiers

No



Personal Mailing Address

Yes



Personal Phone Numbers

Yes



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web Uniform Resource Locator(s) (URL)

No



Personal Email Address

Yes



Education Records

Yes



Military Status

No



Employment Status

Yes



Foreign Activities

No



Other




17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17 should be No and only the PIA Summary must be completed.

No

18. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated and/or passed through. Note: If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other is not applicable).





Categories:

Yes/No



Employees

No



Public Citizen

Yes



Patients

No



Business partners/contacts (Federal, state, local agencies)

No



Vendors/Suppliers/Contractors

No



Other




*19. Are records on the system retrieved by 1 or more PII data elements?

Yes

Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII.





Categories:

Yes/No



Name (for purposes other than contacting federal employees)

Yes



Date of Birth

No



SSN

No



Photographic Identifiers

No



Driver’s License

No



Biometric Identifiers

No



Mother’s Maiden Name

No



Vehicle Identifiers

No



Personal Mailing Address

No



Personal Phone Numbers

No



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web URLs

No



Personal Email Address

Yes



Education Records

Yes



Military Status

No



Employment Status

Yes



Foreign Activities

No



Other




20. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?

Yes

*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4)

Yes

21a. If yes but a SORN has not been created, please provide an explanation.


INFORMATION SHARING PRACTICES


1

Information Sharing Practices

22. Does the system share or disclose PII with other divisions within this agency, external agencies, or other people or organizations outside the agency?

Yes





Please indicate “Yes” or “No” for each category below:

Yes/No



Name (for purposes other than contacting federal employees)

Yes



Date of Birth

No



SSN

No



Photographic Identifiers

No



Driver’s License

No



Biometric Identifiers

No



Mother’s Maiden Name

No



Vehicle Identifiers

No



Personal Mailing Address

Yes



Personal Phone Numbers

Yes



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web URLs

No



Personal Email Address

Yes



Education Records

Yes



Military Status

No



Employment Status

Yes



Foreign Activities

No



Other




*23. If the system shares or discloses PII please specify with whom and for what purpose(s):

NIH evaluation staff for review and evaluations; intramural and university principal investigators and their administrators responsible for data entry.

24. If the PII in the system is matched against PII in one or more other computer systems, are computer data matching agreement(s) in place?

No

25. Is there a process in place to notify organizations or systems that are dependent upon the PII contained in this system when major changes occur (i.e., revisions to PII, or when the system is replaced)?

No

26. Are individuals notified how their PII is going to be used?

Yes

26a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an explanation.

Data is placed into CareerTrac by the principal investigators on a voluntary basis. Different consent forms are used for different types of trainees. Some trainees in CareerTrac are required to submit official appointment documentation. The appointment process (now managed through X-Train) includes a standard privacy statement informing trainees about the existence of the system and about the use of the information. Other trainees are not appointed using official forms. When these individuals are added to the system, we send a privacy notice. This process follows the approach developed during the initial development of CareerTrac at FIC.

27. Is there a complaint process in place for individuals who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate?

Yes

27a. If yes, please describe briefly the notification process. If no, please provide an explanation.

The trainee will write to their PI who will in turn forward the request to NIEHS. The trainee should reasonably identity the record and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate or incomplete. The right to contest records is limited to information which is incomplete or inaccurate.

28. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s integrity, availability, accuracy and relevancy?

Yes

28a. If yes, please describe briefly the review process. If no, please provide an explanation.

PIs have access to the system and are responsible for updating the information submitted. NIH program officials periodically review reports for the programs to ensure data quality.

29. Are there rules of conduct in place for access to PII on the system?

Yes

Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to have access:





Users with access to PII

Yes/No/N/A

Purpose



User

Yes

Data entry, review, report and update. (Note: Users only have access to PII for the trainees associated with their Institution...they may NOT view PII for trainees funded by other organizations.



Administrators

Yes

Manage user accounts, system level data, data analysis and integrity



Developers

Yes

Application maintenance and enhancements



Contractors

Yes

For directed evaluation purposes



Other

Yes

Program Officers have access to PII so that they can evaluate the effectiveness of training programs.



*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

(1) The system will collect, track, and report on information about NIH-supported trainees, such as trainee name, contact information, biographical information, training information, and subsequent career information. The system also supports tracking of trainees' accomplishments, such as fellowships, awards, employment, education, product of policy development, publications, funding received, presentations at conferences, and students mentored.

(2) The agency will use this information to evaluate the long-term outcomes of training program investments and make recommendations for improvement. The information may be aggregated for reporting purposes to other organizations, such as DHHS, Congress and other organizations interested in training investments and outcomes.

(3) The information contains PII.

(4) Submission of personal information is mandatory for trainees who are officially appointed to Institutional training grant programs supported by NIH, but is voluntary for trainees who are supported by grants that do not require formal appointments through X-Train.

*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])

(1) None

(2) Trainees who are officially appointed to the program via X-Train are aware that NIH collects data about them, based on the conditions of their awards. For all other trainees entered into the system, CareerTrac will provide an electronic notification to trainees about the purpose of the data and how it will be used and shared. We request that trainees read the Privacy Act Disclosure and sign a Certificate of Acceptance form, which is clearly documented in CareerTrac.

(3) The agency will use this information to evaluate the long-term outcomes of training program investments and make recommendations for improvement. The information may be aggregated for reporting purposes to other organizations, such as DHHS, Congress and other organizations interested in training investments and outcomes.

WEBSITE HOSTING PRACTICES


1

Website Hosting Practices

*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII)

Yes





Please indicate “Yes” or “No” for each type of site below. If the system hosts both Internet and Intranet sites, indicate “Yes” for “Both” only.

Yes/ No

If the system hosts an Internet site, please enter the site URL. Do not enter any URL(s) for Intranet sites.



Internet

Yes

https://careertrac.niehs.nih.gov/



Intranet

No




Both

No




33. Does the system host a website that is accessible by the public and does not meet the exceptions listed in OMB M-03-22?

Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for websites that are accessible to the public, but provides three exceptions: (1) Websites containing information other than "government information" as defined in OMB Circular A-130; (2) Agency intranet websites that are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees); and (3) National security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the E-Government Act.).

Yes

34. If the website does not meet one or more of the exceptions described in Q. 33 (i.e., response to Q. 33 is "Yes"), a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) is required. Has a website privacy policy been posted?

Yes

35. If a website privacy policy is required (i.e., response to Q. 34 is “Yes”), is the privacy policy in machine-readable format, such as Platform for Privacy Preferences (P3P)?

Yes

35a. If no, please indicate when the website will be P3P compliant:


36. Does the website employ tracking technologies?

No





Please indicate “Yes”, “No”, or “N/A” for each type of cookie below:

Yes/No/N/A



Web Bugs

No



Web Beacons

No



Session Cookies

No



Persistent Cookies

No



Other




*37. Does the website have any information or pages directed at children under the age of thirteen?

No

37a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information is collected?


38. Does the website collect PII from individuals?

Yes





Please indicate “Yes” or “No” for each category below:

Yes/No



Name (for purposes other than contacting federal employees)

Yes



Date of Birth

No



SSN

No



Photographic Identifiers

No



Driver's License

No



Biometric Identifiers

No



Mother's Maiden Name

No



Vehicle Identifiers

No



Personal Mailing Address

Yes



Personal Phone Numbers

Yes



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web URLs

No



Personal Email Address

Yes



Education Records

Yes



Military Status

No



Employment Status

Yes



Foreign Activities

No



Other




39. Are rules of conduct in place for access to PII on the website?

No

40. Does the website contain links to sites external to HHS that owns and/or operates the system?

No

40a. If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by HHS.


ADMINISTRATIVE CONTROLS


1

Administrative Controls

Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws when referencing security requirements.

41. Has the system been certified and accredited (C&A)?

Yes

41a. If yes, please indicate when the C&A was completed:

Mar 2, 2012

41b. If a system requires a C&A and no C&A was completed, is a C&A in progress?

Not Applicable

42. Is there a system security plan for this system?

Yes

43. Is there a contingency (or backup) plan for the system?

Yes

44. Are files backed up regularly?

Yes

45. Are backup files stored offsite?

Yes

46. Are there user manuals for the system?

Yes

47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their responsibilities for protecting the information being collected and maintained?

Yes

48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices?

Yes

49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?

Yes

49a. If yes, please specify method(s):

Users are assigned access in the system based on their role in the organization & reporting process. These roles limit access with the application.

*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN):

Yes

50a. If yes, please provide some detail about these policies/practices:

CareerTrac tracks trainee career achievements 10 years from the end fo their training. NIEHS plans to retain the PII data for as long as it is required and reasonable. The purpose of the collection is long-term outcome tracking, so it is important to keep the data.

TECHNICAL CONTROLS


1

Technical Controls

51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system?

Yes





Please indicate “Yes” or “No” for each category below:

Yes/No



User Identification

Yes



Passwords

Yes



Firewall

Yes



Virtual Private Network (VPN)

Yes



Encryption

Yes



Intrusion Detection System (IDS)

Yes



Common Access Cards (CAC)

No



Smart Cards

No



Biometrics

No



Public Key Infrastructure (PKI)

No



52. Is there a process in place to monitor and respond to privacy and/or security incidents?

Yes

52a. If yes, please briefly describe the process:

Monitoring by intrusion detection system, review of firewall logs, account lockout functions.

PHYSICAL ACCESS


1

Physical Access

53. Are physical access controls in place?

Yes





Please indicate “Yes” or “No” for each category below:

Yes/No



Guards

Yes



Identification Badges

Yes



Key Cards

Yes



Cipher Locks

No



Biometrics

No



Closed Circuit TV (CCTV)

Yes



*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

The following safeguards are implemented in order to protect the information collected through CareerTrac. Regular access to the information is limited to NIH employees, contractor employees, or principal investigators and their administrators who are conducting, reviewing or contributing to the system. Other access will be granted only on a case-by-case basis, consistent with the restrictions, as authorized by the system manager or designated responsible official.

Administrative Control: CareerTrac has a system security plan and backup plan. The files are backed-up regularly and maintained in a secure location.

Technical Control: ES Career Trac is securely hosted behind the NIEHS/NIH firewall. Passwords are encrypted and changed regularly. PIs and their administrators can only view records from trainees supported by their grants. NIEHS maintains appropriate physical, electronic, and procedural safeguards to ensure the security, integrity, and privacy of trainee's information.

Physical access controls are in place for CareerTrac. Records are stored in locked containers in areas which are not accessible to unauthorized users, and in facilities which are locked and guarded. Sensitive records are not left exposed to unauthorized persons at any time.

APPROVAL/DEMOTION


1

System Information

System Name:

NIEHS CareerTrac

2

PIA Reviewer Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:


Approval/Demotion Point of Contact:


Date:

Aug 30, 2012

3

Senior Official for Privacy Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:


4

OPDIV Senior Official for Privacy or Designee Approval

Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it

This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date):

Name: __________________________________ Date: ________________________________________





Name:

Karen Plá



Date:

Jun 10, 2010



5

Department Approval to Publish to the Web

Approved for web publishing


Date Published:


Publicly posted PIA URL or no PIA URL explanation:


PIA % COMPLETE


1

PIA Completion

PIA Percentage Complete:

100.00

PIA Missing Fields:


ATTACHMENT 3: Comment and Response to 60 day Notice




July 18, 2012


Dr. Rachel Sturke

Evaluation Office

Division of Science Policy, Planning and Evaluation

NIH

16 Center Drive

Bethesda, MD 20892


Sent via email: [email protected]


Re: Comment Request; CareerTrac


Dear Dr. Sturke:

On behalf of the Board of Trustees and members of ARVO I submit the following comments in response to your Notice for comments on CareerTrac, published in the June 1, 2012 Federal Register. ARVO is the largest and most respected eye and vision research organization in the world. Our members include over 7,100 members in the U.S. and more than 12,600 researchers from over 80 countries around the world. ARVO encourages and assists research, training, publication and knowledge-sharing in vision and ophthalmology. Since the majority of ARVO members are researchers, many are recipients of NIH grants, and many are conducting research in academic institutions, there is an appreciation of the necessity of evaluating the success the research projects and especially the training programs. The continued support of the Principal Investigators (PI) research and training programs by their institutions is tied inextricably to this success.

ARVO solicited comments from various relevant segments of the membership to develop useful responses that we hope will be considered before adding to the already heavy burden of reporting which detracts from conducting much needed research. Specific responses to the four areas of comment are presented below for your consideration.

  1. Whether the proposed collection of information is necessary for the proper performance of the function of the agency, including whether the information will have practical utility.

It is generally agreed that the collection of information is necessary and useful for NIH funding and/or providing continued support of training programs. However, there is some doubt of the accuracy or utility of collecting data for 10-years, especially if the trainee has left the institution from which the reporting was initiated. Reporting on long-terms goals does not necessarily relate to achievement or accomplishments of the PI or trainee for several reasons: (a) goals over time may, by necessity of changing research strategies or projects, be different but not negatively reflect on achievement; (b) not all research yields positive results, which does not mean that the research was not valuable or contributed significantly to the PI’s and trainees’ advancement of knowledge; and (c) if the trainee moves to another institution, the goals and direction may dramatically change. None of these scenarios should reflect poorly on the trainees or the PI.

  1. The accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used.

The burden on PIs to respond to such a request for 10 years is prohibitive in time and cost and is considered to be redundant. The necessary information is captured already in submitted annual reports and successful renewals as part of the outcomes. All data is included in the annual grant reports. As NIH is aware, PIs are not compensated for any time spent reporting on grants and to extend the reporting on specific trainees to 10 years is prohibitively time consuming. Once a trainee has left a specific program he/she may move a number of times over the next 10 years; while keeping track of their movements and progress over time would be interesting, it is problematic for PIs of training grants to bear this extra burden, particularly as overlap between institutions would be duplicate effort. . Non-compliance could also be an issue. Would there be penalties? Non-reporting could change a program from being viewed as a failure to being viewed as a success because the success of trainees over a 10-year period could not be assessed in appropriately similar types of training programs.

While we recognize the need to monitor, evaluate and adjust grants to ensure that desired outcomes are achieved and to inform strategic management decisions about the training funding mechanisms, ARVO does not agree that the burden-of-collection costs or time accurately reflect the actual time that would be involved. Only 11% of ARVO members responding to our survey indicated that they would have only 1 trainee per year, or 10 over a 10-year period, on whom to report. Forty-seven percent reported that they would be required to report on over 10 trainees per year, or up to 100 trainees over the 10-year period taking at least 750 hours over that time period using your calculations. Even if single-point login and single records that displayed cumulative annual reports for each trainee were developed, completion would still be a burden.

In addition, there is a strong possibility of multiple reports on the same trainee as trainees move into new programs. Both the new PI and the original PI would include the necessary information in his/her reports resulting in redundant information. If a trainee leaves the field or obtains a grant of his/her own during the reporting period it is unclear how these situations would be monitored and reported.

  1. Ways to enhance the quality, utility, and clarity of the information to be collected.



To summarize the suggestions received in ARVO’s survey:

  1. It was pointed out that PIs have no inherent right to know about former trainees’ activities, successes or failures.

  2. The responsibility of reporting could best be handled by the trainee. If the PI under whom the trainee is acting is recorded, as well as the applicable grant number, the data could be linked directly to the PI to assist in evaluating the program. In the event that the trainee moves to a new institution during the 10-year recording period, the move and position under a new PI, if appropriate, would be the responsibility of the trainee. In addition, if the trainee leaves the field or moves outside the United States and continues research, only the trainee would be able to record those details over this extended time frame. This would result in more data for analysis than a voluntary program.

  3. An alternative would be to require all trainees funded through the relevant grants to establish an eRAcommons account and report annually; data would be more accurate and could be linked back to the PIs by grant number and name. This would result in more data for analysis than a voluntary program.



  1. Ways to minimize the burden of the collection of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.



ARVO suggests that data mining of existing databases, including eRA Commons (era.nih.gov), PubMed and PubMed Central, would provide sufficient data on trainees. Typically, annual reporting does not fit the research and career pace of young investigators; the exception being if trainees receive their own NIH funding during this period.



An alternative: It is not necessary to have two separate systems for tracking the same information. If the necessary information were required in conjunction with reporting on training grants and only for the trainees in the program during that reporting period, data mining of the grants reporting system should be sufficient to guide strategic planning. This would also result in a larger amount of data than if PIs record career progress on a voluntary basis.



Thank you for the opportunity to participate in this process. The future of research lies with todays’ trainees. Understanding the goals and outcomes of their training will better inform strategic thinking to ensure our continued success.



Sincerely yours,





Linda McLoon, PhD

Chair, Advocacy Committee

ARVO

and

University of Minnesota

Department of Ophthalmology



On behalf of the Board of Trustees and ARVO members


September 17, 2012

Linda McLoon, PhD

Chair, Advocacy Committee

ARVO and University of Minnesota, Department of Ophthalmology

Sent via email: [email protected]


RE: Response to Comment Request; CareerTrac


Dear Dr. McLoon,


On behalf of the Institutes involved in CareerTrac, I submit the following response to your comments regarding the CareerTrac Federal Register Notice on June 1, 2012.


  1. The respondent indicates that collecting information on trainees’ for10 years will present an undue burden on their members. However, collecting information on trainees for 10 years is a clear condition of an institutional training grant award as indicated in the Funding Opportunity Announcement and the Notice of Grant Award. The grantees/PIs agree to this condition when they receive the award. This system simply provides them with a database to use to meet this condition as they prepare annual progress reports.


  1. The respondent questions the burden estimate used. In fact, we calculated the wrong burden estimate. In the 60 day Federal Register Notice, we indicated that the average PI will have 30 trainees to track in any given year and will spend 30 minutes entering data for that trainee. That equals 900 minutes or 15 hours. We inadvertently listed 7.5 hours listed in the average time per response based on the previous OMB clearance that only estimated 15 trainees per year per grantee. As we add new Institutes to the system, these institutes’ PIs tend to have more trainees per year, so in this round of OMB clearance, we have increased the estimate of the number of trainees the PIs will be tracking per year.


  1. The respondent also questioned what would happen when a trainee moves into a new program and wonders if both the new PI and the original PI would include the necessary information in his/her reports resulting in redundant information. The answer is yes, but NIH does not view it as redundant, because trainees produce different publications at the different institution (this is the most common accomplishment.) The current, paper based system works this way. CareerTrac, however, would actually help resolve this concern because it has the potential (not yet implemented, but we are working towards it) to link trainee experiences across different training appointments.


  1. The respondent wants to know what happens if a trainee leaves the field or obtains a grant of his/her own during the reporting period. If the trainees leaves the field, that would be reported as a change in their employment. If the trainee obtains a grant of their own, that would be reported as an accomplishment and the PI can indicate if it occurred during the trainee’s tenure as a trainee or after. One of the main benefits of the CareerTrac system is to provide PIs with an opportunity to report on their trainees’ accomplishments and successes which help us understand the longer term outcomes of training programs.



  1. The respondent suggested that we put the burden of tracking/reporting on the trainee and provide each trainee with access to eRA Commons. We agree that direct access for trainees would be helpful, and we intend to explore options for using the commons ID as an approach to give trainees access. While we agree that direct trainee access would be helpful, the challenge of authenticating individual trainees currently prohibits us from doing so, without violating federal IT security guidelines.

We have had many grantees who have utilized the CareerTrac system over several years and are very supportive of the system and excited about the opportunity to use it.



Kind regards,


Rachel Sturke, PhD, MPH, MIA

Evaluation Officer

Division of International Science Policy, Planning, and Evaluation

Fogarty International Center

National Institutes of Health

16 Center Drive

Bethesda, MD 20892


Updated 9/24/2012 Page | 28


File Typeapplication/msword
File TitleThe Association for Research
AuthorKaren Colson
Last Modified BySeleda Perryman
File Modified2012-09-28
File Created2012-09-28

© 2024 OMB.report | Privacy Policy