Attach_9B_PIA_OCR

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Research
Information Exchange Federal Investigator Registry (CRIX FIREBIRD)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/29/2011
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable (this is a minor application)
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Not Applicable
6. Other Identifying Number(s): NCI-75
7. System Name (Align with system Item name): Clinical Research Exchange Federal
Investigator Registry CRIX FIREBIRD
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Jose Galvez, MD
10. Provide an overview of the system: The Federal Investigator Registry of Biomedical
Informatics Research Data (FIREBIRD) is a software application that supports electronic
submission of clinical trial investigator information to trial sponsors and regulatory bodies. It is
the first module realized from the vision of the Interagency Oncology Task Force (IOTF), a
partnership of the National Cancer Institute (NCI) and the Food and Drug Administration (FDA),
to create an electronic infrastructure for the submission of regulatory data. Through a single
web-based platform, investigators will be able to maintain a secure profile of the most common
information required when participating in drug trials.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
The IIF may be shared with Pharmaceutical companies and the Food and Drug Administration

via an Oracle link. The IIF is under SOR 09-25-0200, Clinical, Basic and Population-based
Research Studies of the National Institutes of Health (NIH), HHS/NIH/OD
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: The agency collects
voluntarily given data on researcher’s name, birth date, mailing address, phone numbers, e-mail
address, Medical license number and the State in which it was issued, and the researcher’s
Unique Physical ID number (UPIN) in order to identify the researcher to authorized viewers and
provide contact information and credential information to authorized users. The National Cancer
Institute authorizes all users.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Researchers give only their own personal information
and do so voluntarily. The Firebird web site will disclose any changes to how IIF is used or
shared on the website itself.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): Yes
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: The IIF will be secured by management,
operational, and technical controls. Some of these controls include user identification and
authentication, public key encryption (PKI) certificates, the concept of least privilege, and
firewalls. The PKI certificates will be validated by NCI. Infrastructure product, username and
password, annual risk assessments, background checks on administrative employees, and key
locks, cipher locks and keycards necessary to enter server rooms.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/19/2011
Approved for Web Publishing: Yes
Date Published: May 23, 2012