06.1 HHS Privacy Impact Assessment (Form) / NIH NCI Enterprise Services and Clinical Trials Reporting Program (Item) |
Primavera ProSight |
Form Report, printed by: Milliard, Suzanne, Feb 5, 2013 |
|
PIA SUMMARY |
1 |
|
The following required questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to the Office of Management and Budget (OMB) and public posting in accordance with OMB Memorandum (M) 03-22. |
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of personally identifiable information (PII). If no PII is contained in the system, please answer questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will authorize the PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion. |
2 |
Summary of PIA Required Questions |
*Is this a new PIA? |
No |
If this is an existing PIA, please provide a reason for revision: |
PIA Validation |
*1. Date of this Submission: |
Aug 22, 2012 |
*2. OPDIV Name: |
NIH |
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): |
N/A |
*5. OMB Information Collection Approval Number: |
0925-0600 |
*6. Other Identifying Number(s): |
None |
*7. System Name (Align with system item name): |
NIH NCI Clinical Trials Reporting Program (CTRP) |
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
|
|
|
|
|
Point of Contact Information |
|
|
|
POC Name |
Jose Glavez, MD |
|
|
|||
*10. Provide an overview of the system: |
The Clinical Trials Reporting Program (CTRP) is a web-based program to submit data about cancer-related clinical trials and to search for data concerning cancer-related clinical trials. The CTRP system is an electronic resource that is intended to serve as a single, definitive source of information about all NCI-supported clinical research. Deployment of this resource will allow the NCI to consolidate reporting, aggregate information and reduce redundant submissions. Information will be submitted by clinical research coordinators as designees of clinical investigators who conduct NCI-supported clinical research. |
*13. Indicate if the system is new or an existing one being modified: |
Existing |
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? |
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary tab.) |
Yes |
17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17 should be No and only the PIA Summary must be completed. |
No |
*19. Are records on the system retrieved by 1 or more PII data elements? |
No |
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4) |
No |
*23. If the system shares or discloses PII, please specify with whom and for what purpose(s): |
Only designated, appropriate NCI program and administrative employee and contractor staff will have full access to the data within the CTRP Database for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to those with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training
Individual submitters to the CTRP Database will have full access to information they have submitted. |
*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information contains PII; and (4) Whether submission of personal information is voluntary or mandatory: |
(1) Clinical investigators are requested to provide their professional contact information, including name, business mailing address, business phone numbers, and business e-mail address. In addition, clinical investigators and/or study coordinators are requested to provide the following elements for study subject accrual information:
• submission title • submission cut-off date (MM/DD/YYYY) • description • study subject ID • study subject birth date (MM/YYYY) • study subject gender • study subject race • study subject ethnicity • study subject zip code • study subject country • registration date (MM/DD/YYYY) • study subject method of payment • disease • participating site name
(2) The information is collected for purposes of portfolio management, compliance with regulatory and administrative reporting obligations and appropriate dissemination of cancer research information to the public. The information will be made available to designated, appropriate NCI employee and contractor staff for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access to PII will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training.
(3) The information contains the following PII: study subject birth date (MM/YYYY), study subject gender, study subject race, study subject ethnicity, and study subject zip code. Although CTRP uses a Study Subject ID to identify an accrual record on a given study, this ID is not linked to information concerning a study subject.
(4) Submission of this information is voluntary. |
*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]): |
NCI will post written notices on the web site portal for the CTRP system to inform clinical investigators/research coordinators of:
(1) major changes that occur to the CTRP system that affect disclosure and/or uses of PII in the CTRP system; (2) changes in the type of PII to be collected from study subjects; and (3) any changes to how PII is used or shared (from current practice of making PII collected from study subjects available only to designated, appropriate NCI employee and contractor staff on a “need to know” basis for purposes of portfolio management and compliance with regulatory and administrative reporting obligations). |
*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII) |
Yes |
*37. Does the website have any information or pages directed at children under the age of thirteen? |
No |
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN) |
Yes |
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls: |
The PII will be secured by management, operational, and technical controls. Some of these controls include user identification and authentication, the concept of least privilege, and firewalls. Infrastructure product, username and password, annual risk assessments, background checks on administrative employees, key locks and keycards necessary to enter server rooms. |
PIA REQUIRED INFORMATION |
1 |
HHS Privacy Impact Assessment (PIA) |
The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of PII, what is done with that information, and how that information is protected. Systems with PII are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act. Respective Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system. Please note that answers to questions with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22. |
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. |
2 |
General Information |
*Is this a new PIA? |
No |
If this is an existing PIA, please provide a reason for revision: |
PIA Validation |
*1. Date of this Submission: |
Aug 22, 2012 |
*2. OPDIV Name: |
NIH |
3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the System Inventory form, UPI table): |
|
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4): |
N/A |
*5. OMB Information Collection Approval Number: |
0925-0600 |
5a. OMB Collection Approval Number Expiration Date: |
Mar 31, 2013 |
*6. Other Identifying Number(s): |
None |
*7. System Name: (Align with system item name) |
NIH NCI Clinical Trials Reporting Program (CTRP) |
8. System Location: (OPDIV or contractor office building, room, city, and state) |
|
|
|
|
|
System Location: |
|
|
|
OPDIV or contractor office building |
6116 Executive Boulevard |
|
|
Room |
175 |
|
|
City |
Rockville |
|
|
State |
MD |
|
|
|||
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
|
|
|
|
|
Point of Contact Information |
|
|
|
POC Name |
Jose Glavez, MD |
|
|
|||
The following information will not be made publicly available: |
|
|
|
|
|
POC Title |
Director of Community Outreach & Special Programs |
|
|
POC Organization |
NCI/CBIIT |
|
|
POC Phone |
301-443-6141 |
|
|
POC Email |
|
|
|
|||
*10. Provide an overview of the system: (Note: The System Inventory form can provide additional information for child dependencies if the system is a GSS) |
The Clinical Trials Reporting Program (CTRP) is a web-based program to submit data about cancer-related clinical trials and to search for data concerning cancer-related clinical trials. The CTRP system is an electronic resource that is intended to serve as a single, definitive source of information about all NCI-supported clinical research. Deployment of this resource will allow the NCI to consolidate reporting, aggregate information and reduce redundant submissions. Information will be submitted by clinical research coordinators as designees of clinical investigators who conduct NCI-supported clinical research. |
SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION |
1 |
System Characterization and Data Configuration |
11. Does HHS own the system? |
Yes |
11a. If no, identify the system owner: |
Name: Jose Galvez Component: National Institutes of Health Address: Phone: Email: [email protected] FAX: |
12. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No) |
Yes |
12a. If no, identify the system operator: |
|
*13. Indicate if the system is new or an existing one being modified: |
Existing |
14. Identify the life-cycle phase of this system: |
Operations/Maintenance |
15. Have any of the following major changes occurred to the system since the PIA was last submitted? |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Conversions |
No |
|
|
Anonymous to Non-Anonymous |
No |
|
|
Significant System Management Changes |
No |
|
|
Significant Merging |
No |
|
|
New Public Access |
No |
|
|
Commercial Sources |
No |
|
|
New Interagency Uses |
No |
|
|
Internal Flow or Collection |
No |
|
|
Alteration in Character of Data |
Yes |
|
|
|||
16. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or Minor Application (stand-alone)? |
Minor Application (child) |
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this system? |
Yes |
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary tab.) |
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. |
|
|
|
|
|
Categories: |
Yes/No |
|
|
Name (for purposes other than contacting federal employees) |
No |
|
|
Date of Birth |
Yes |
|
|
Social Security Number (SSN) |
No |
|
|
Photographic Identifiers |
No |
|
|
Driver’s License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother’s Maiden Name |
No |
|
|
Vehicle Identifiers |
No |
|
|
Personal Mailing Address |
Yes |
|
|
Personal Phone Numbers |
No |
|
|
Medical Records Numbers |
No |
|
|
Medical Notes |
No |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
No |
|
|
Device Identifiers |
No |
|
|
Web Uniform Resource Locator(s) (URL) |
No |
|
|
Personal Email Address |
No |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
No |
|
|
Foreign Activities |
No |
|
|
Other |
Study Subject Race, Study Subject Ethnicity, Study Subject Gender |
|
|
|||
17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17 should be No and only the PIA Summary must be completed. |
No |
18. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated and/or passed through. Note: If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other is not applicable). |
|
|
|
|
|
Categories: |
Yes/No |
|
|
Employees |
No |
|
|
Public Citizen |
No |
|
|
Patients |
Yes |
|
|
Business partners/contacts (Federal, state, local agencies) |
No |
|
|
Vendors/Suppliers/Contractors |
No |
|
|
Other |
N/A |
|
|
|||
*19. Are records on the system retrieved by 1 or more PII data elements? |
No |
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. |
|
|
|
|
|
Categories: |
Yes/No |
|
|
Name (for purposes other than contacting federal employees) |
No |
|
|
Date of Birth |
No |
|
|
SSN |
No |
|
|
Photographic Identifiers |
No |
|
|
Driver’s License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother’s Maiden Name |
No |
|
|
Vehicle Identifiers |
No |
|
|
Personal Mailing Address |
No |
|
|
Personal Phone Numbers |
No |
|
|
Medical Records Numbers |
No |
|
|
Medical Notes |
No |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
No |
|
|
Device Identifiers |
No |
|
|
Web URLs |
No |
|
|
Personal Email Address |
No |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
No |
|
|
Foreign Activities |
No |
|
|
Other |
No |
|
|
|||
20. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system? |
Yes |
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4) |
No |
21a. If yes but a SORN has not been created, please provide an explanation. |
|
INFORMATION SHARING PRACTICES |
1 |
Information Sharing Practices |
22. Does the system share or disclose PII with other divisions within this agency, external agencies, or other people or organizations outside the agency? |
No |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Name (for purposes other than contacting federal employees) |
No |
|
|
Date of Birth |
No |
|
|
SSN |
No |
|
|
Photographic Identifiers |
No |
|
|
Driver’s License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother’s Maiden Name |
No |
|
|
Vehicle Identifiers |
No |
|
|
Personal Mailing Address |
No |
|
|
Personal Phone Numbers |
No |
|
|
Medical Records Numbers |
No |
|
|
Medical Notes |
No |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
No |
|
|
Device Identifiers |
No |
|
|
Web URLs |
No |
|
|
Personal Email Address |
No |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
No |
|
|
Foreign Activities |
No |
|
|
Other |
N/A |
|
|
|||
*23. If the system shares or discloses PII please specify with whom and for what purpose(s): |
Only designated, appropriate NCI program and administrative employee and contractor staff will have full access to the data within the CTRP Database for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to those with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training
Individual submitters to the CTRP Database will have full access to information they have submitted. |
24. If the PII in the system is matched against PII in one or more other computer systems, are computer data matching agreement(s) in place? |
Not Applicable |
25. Is there a process in place to notify organizations or systems that are dependent upon the PII contained in this system when major changes occur (i.e., revisions to PII, or when the system is replaced)? |
Not Applicable |
26. Are individuals notified how their PII is going to be used? |
No |
26a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an explanation. |
Study Subject PII is collected from the Principal Investigator or Study Coordinator, and not supplied directly by the study subject. The Principal Investigator and/or Study Coordinator are notified by posted notices on the website. |
27. Is there a complaint process in place for individuals who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate? |
Yes |
27a. If yes, please describe briefly the notification process. If no, please provide an explanation. |
If individuals believe their PII has been inappropriately obtained, used or disclosed, they can file a complaint to the Office of Civil Rights (OCR) within 180 days of the alleged violation. This complaint must be in writing and submitted either by e-mail, postal mail, or fax. |
28. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s integrity, availability, accuracy and relevancy? |
Yes |
28a. If yes, please describe briefly the review process. If no, please provide an explanation. |
The system owner checks the PII in the system. The agency will request annual self-assessment to ensure confidentiality, integrity, and availability. |
29. Are there rules of conduct in place for access to PII on the system? |
Yes |
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to have access: |
|
|
|
||
|
Users with access to PII |
Yes/No/N/A |
Purpose |
|
|
User |
Yes |
Personally identifiable information will be made available to designated, appropriate NCI employee and contractor staff for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Individual submitters will have full access to information they have submitted. |
|
|
Administrators |
Yes |
System Administration |
|
|
Developers |
No |
|
|
|
Contractors |
Yes |
Perform services as required, primarily management of submitted data by clinical protocol abstraction staff |
|
|
Other |
Not Applicable |
|
|
|
||||
*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information contains PII; and (4) Whether submission of personal information is voluntary or mandatory: |
(1) Clinical investigators are requested to provide their professional contact information, including name, business mailing address, business phone numbers, and business e-mail address. In addition, clinical investigators and/or study coordinators are requested to provide the following elements for study subject accrual information:
• submission title • submission cut-off date (MM/DD/YYYY) • description • study subject ID • study subject birth date (MM/YYYY) • study subject gender • study subject race • study subject ethnicity • study subject zip code • study subject country • registration date (MM/DD/YYYY) • study subject method of payment • disease • participating site name
(2) The information is collected for purposes of portfolio management, compliance with regulatory and administrative reporting obligations and appropriate dissemination of cancer research information to the public. The information will be made available to designated, appropriate NCI employee and contractor staff for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access to PII will be limited to designated, appropriate NCI employee and contractor staff with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training.
(3) The information contains the following PII: study subject birth date (MM/YYYY), study subject gender, study subject race, study subject ethnicity, and study subject zip code. Although CTRP uses a Study Subject ID to identify an accrual record on a given study, this ID is not linked to information concerning a study subject.
(4) Submission of this information is voluntary. |
*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]) |
NCI will post written notices on the web site portal for the CTRP system to inform clinical investigators/research coordinators of:
(1) major changes that occur to the CTRP system that affect disclosure and/or uses of PII in the CTRP system; (2) changes in the type of PII to be collected from study subjects; and (3) any changes to how PII is used or shared (from current practice of making PII collected from study subjects available only to designated, appropriate NCI employee and contractor staff on a “need to know” basis for purposes of portfolio management and compliance with regulatory and administrative reporting obligations). |
WEBSITE HOSTING PRACTICES |
1 |
Website Hosting Practices |
*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the presence of PII) |
Yes |
|
|
|
||
|
Please indicate “Yes” or “No” for each type of site below. If the system hosts both Internet and Intranet sites, indicate “Yes” for “Both” only. |
Yes/ No |
If the system hosts an Internet site, please enter the site URL. Do not enter any URL(s) for Intranet sites. |
|
|
Internet |
Yes |
|
|
|
Intranet |
Yes |
|
|
|
Both |
Yes |
|
|
|
||||
33. Does the system host a website that is accessible by the public and does not meet the exceptions listed in OMB M-03-22? |
Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for websites that are accessible to the public, but provides three exceptions: (1) Websites containing information other than "government information" as defined in OMB Circular A-130; (2) Agency intranet websites that are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees); and (3) National security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the E-Government Act.). |
Yes |
34. If the website does not meet one or more of the exceptions described in Q. 33 (i.e., response to Q. 33 is "Yes"), a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) is required. Has a website privacy policy been posted? |
Yes |
35. If a website privacy policy is required (i.e., response to Q. 34 is “Yes”), is the privacy policy in machine-readable format, such as Platform for Privacy Preferences (P3P)? |
Yes |
35a. If no, please indicate when the website will be P3P compliant: |
|
36. Does the website employ tracking technologies? |
Yes |
|
|
|
|
|
Please indicate “Yes”, “No”, or “N/A” for each type of cookie below: |
Yes/No/N/A |
|
|
Web Bugs |
No |
|
|
Web Beacons |
No |
|
|
Session Cookies |
Yes |
|
|
Persistent Cookies |
No |
|
|
Other |
N/A |
|
|
|||
*37. Does the website have any information or pages directed at children under the age of thirteen? |
No |
37a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information is collected? |
|
38. Does the website collect PII from individuals? |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Name (for purposes other than contacting federal employees) |
No |
|
|
Date of Birth |
Yes |
|
|
SSN |
No |
|
|
Photographic Identifiers |
No |
|
|
Driver's License |
No |
|
|
Biometric Identifiers |
No |
|
|
Mother's Maiden Name |
No |
|
|
Vehicle Identifiers |
No |
|
|
Personal Mailing Address |
Yes |
|
|
Personal Phone Numbers |
No |
|
|
Medical Records Numbers |
No |
|
|
Medical Notes |
No |
|
|
Financial Account Information |
No |
|
|
Certificates |
No |
|
|
Legal Documents |
No |
|
|
Device Identifiers |
No |
|
|
Web URLs |
No |
|
|
Personal Email Address |
No |
|
|
Education Records |
No |
|
|
Military Status |
No |
|
|
Employment Status |
No |
|
|
Foreign Activities |
No |
|
|
Other |
Study Subject Race, Study Subject Ethnicity, Study Subject Gender |
|
|
|||
39. Are rules of conduct in place for access to PII on the website? |
Yes |
40. Does the website contain links to sites external to HHS that owns and/or operates the system? |
No |
40a. If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by HHS. |
|
ADMINISTRATIVE CONTROLS |
1 |
Administrative Controls |
Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws when referencing security requirements. |
41. Has the system been certified and accredited (C&A)? |
Yes |
41a. If yes, please indicate when the C&A was completed: |
Jan 20, 2010 |
41b. If a system requires a C&A and no C&A was completed, is a C&A in progress? |
|
42. Is there a system security plan for this system? |
Yes |
43. Is there a contingency (or backup) plan for the system? |
No |
44. Are files backed up regularly? |
Yes |
45. Are backup files stored offsite? |
Yes |
46. Are there user manuals for the system? |
Yes |
47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their responsibilities for protecting the information being collected and maintained? |
Yes |
48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices? |
Yes |
49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)? |
Yes |
49a. If yes, please specify method(s): |
Access will be limited to those with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training. Level of access to functionality will depend on role and users will be required to undergo training for the role responsibility. System audit logs will facilitate accountability enforcement for user transactions. |
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and Destruction section in SORN): |
Yes |
50a. If yes, please provide some detail about these policies/practices: |
National Institutes of Health, NIH System Life Cycle requirements require destruction of PII upon the termination of the system. |
TECHNICAL CONTROLS |
1 |
Technical Controls |
51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system? |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
User Identification |
Yes |
|
|
Passwords |
Yes |
|
|
Firewall |
Yes |
|
|
Virtual Private Network (VPN) |
Yes |
|
|
Encryption |
No |
|
|
Intrusion Detection System (IDS) |
Yes |
|
|
Common Access Cards (CAC) |
No |
|
|
Smart Cards |
No |
|
|
Biometrics |
No |
|
|
Public Key Infrastructure (PKI) |
No |
|
|
|||
52. Is there a process in place to monitor and respond to privacy and/or security incidents? |
Yes |
52a. If yes, please briefly describe the process: |
NIH has an Incident Response Team which responds to privacy and/or security incidents. |
PHYSICAL ACCESS |
1 |
Physical Access |
53. Are physical access controls in place? |
Yes |
|
|
|
|
|
Please indicate “Yes” or “No” for each category below: |
Yes/No |
|
|
Guards |
Yes |
|
|
Identification Badges |
Yes |
|
|
Key Cards |
Yes |
|
|
Cipher Locks |
No |
|
|
Biometrics |
No |
|
|
Closed Circuit TV (CCTV) |
No |
|
|
|||
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls: |
The PII will be secured by management, operational, and technical controls. Some of these controls include user identification and authentication, the concept of least privilege, and firewalls. Infrastructure product, username and password, annual risk assessments, background checks on administrative employees, key locks and keycards necessary to enter server rooms. |
APPROVAL/DEMOTION |
1 |
System Information |
System Name: |
NIH NCI Clinical Trials Reporting Program (CTRP) |
2 |
PIA Reviewer Approval/Promotion or Demotion |
Promotion/Demotion: |
Promote |
Comments: |
|
Approval/Demotion Point of Contact: |
Suzy Milliard |
Date: |
Aug 22, 2012 |
3 |
Senior Official for Privacy Approval/Promotion or Demotion |
Promotion/Demotion: |
Promote |
Comments: |
|
4 |
OPDIV Senior Official for Privacy or Designee Approval |
Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it |
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date): |
Name: __________________________________ Date: ________________________________________ |
|
|
|
|
|
Name: |
Karen Plá |
|
|
Date: |
Sep 28, 2012 |
|
|
|||
5 |
Department Approval to Publish to the Web |
Approved for web publishing |
Yes |
Date Published: |
Sep 1, 2009 |
Publicly posted PIA URL or no PIA URL explanation: |
|
PIA % COMPLETE |
1 |
PIA Completion |
PIA Percentage Complete: |
100.00 |
PIA Missing Fields: |
|
| File Type | application/msword |
| File Title | Primavera ProSight Report |
| Author | Milliard, Suzanne |
| Last Modified By | Milliard, Suzanne (NIH/NCI) [E] |
| File Modified | 2013-02-05 |
| File Created | 2013-02-05 |