Appendix 4_PIA_CIS

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Information
Service (CIS)

PIA SUMMARY AND APPROVAL COMBINED 

PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: N/A
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): N/A
5. OMB Information Collection Approval Number: N/A
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI CIS/Cancer.gov Sites
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Robert Zablocki
10. Provide an overview of the system: The system includes several search interfaces
accessible through the Cancer.gov site (National Organizations That Offer Cancer-related
Services, Resources for Financial Assistance for Patients and Their Families, and National
Cancer Institute-designated Cancer Centers database search interfaces), and the LiveHelp
Welcome Page. These are information sites meant to provide them search capabilities to retrieve
list of organizations concerned with helping cancer patients and their families/friends or provide
the public with access to "chat" with the NCI‘s Cancer Information Service.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
N/A
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this

description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The three search interfaces
allows users to input their e-mail address in order to receive selected information via e-mail. Email addresses are not maintained or disseminated; e-mail addresses are provided voluntarily by
users and are used only to provide requested information via this channel. Users have other print
options available should they wish to have this information but not provide an e-mail address.
The LiveHelp Welcome Page provides users with access to the LiveHelp chat service manned by
NCI‘s Contact Center staff, which is included in a separate PIA, NIH NCI CIS Extranet.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) E-mail address is not stored and so users cannot be
contacted about major changes to the system. Online help files describe features/functions of the
sites and are updated as changes are made.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: ·
Only authenticated, authorized
systems staff have access to the database.
·
Controlled access to production servers; only Web administrator has this level of access.
·
There is a designated deployment team and deployments are handled from a secure
gateway with no connection to the Internet.
·
Usernames and strong passwords are required for user access to production interface for
database.
·
All production assets are in a central data center that has controlled and limited physical
access.
·
Production environment is separate from development environment both logically and
physically.

·
Each application in the system has set user levels with different privileges assigned to 

each level.

PIA Approval
PIA Reviewer Approval: Promote

PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: February 13, 2012
_____________________________________________________________________________