Privacy Impact Assessment

06.4 Third Party Web PIA (Form) / NIH/OD/SurveyGizmo

TPWA_PIA

The PIA determines if Personally Identifiable Information (PII) is contained within a system, the kind of PII involved, what is done with that information, and how the PII is protected. OPDIV/STAFFDIV uses of third-party Websites or applications are subject to requirements based on privacy laws, regulations, and guidance. The Department of Health and Human Services (HHS) Privacy Act Officer may be contacted for issues related to the Freedom of Information Act (FOIA) and/or the Privacy Act. Respective HHS Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system.

This Privacy Impact Assessment is to be completed in accordance with Office of Management and Budget (OMB) Memorandum (M) 03-22 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 and OMB M-10-23 Guidance for Agency Use of Third-Party Websites and Applications. For complete background and guidance, please read the Standard Operating Procedures (SOPs) for the Privacy Impact Assessment for Third-Party Websites of Applications prior to completing this PIA.

Questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to OMB and public posting in accordance with OMB M-03-22 and OMB M-10-23.

1. Third-Party Website or Application Name:

NIH/OD/SurveryGizmo

2. Is this a new PIA?

Yes

2a. If this is a revision of an existing PIA, please provide a reason for revision:

N/A

3. Date of this Submission:

Apr 13, 2016

4. OPDIV Name:

NIH

5. Unique Project Identifier (UPI) Number for current fiscal year (if applicable):

N/A

6.Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?

No

6a. If yes, indicate the SORN number or describe the plans to put one in place:

N/A

7. Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?

No

7a. If yes, indicate the OMB approval number and approval number expiration date or describe the plans to obtain OMB clearance:

N/A

8. Does the third-party Website or application contain Federal records?

No

*9. Point of Contact (POC). The POC is the person to whom questions about the responses to the third-party Website or application PIA may be addressed:

Point of Contact Information

Name

Greg Ricalde

Title

Privacy SME, NIH/OD/OM/OMA/DMS

Location

6011 Executive Boulevard, Suite 601. Rockville, MD 20892

Phone Number

(301) 451-3426

10. Describe the specific purpose for the OPDIV use of the third-party Website or application:

Survey Gizmo is an online application that enables users or organizations to create and host content specific surveys to target audiences. NIH use of this application will be for conducting both internal and external surveys for objectives ranging from program evaluation, staff opinions and suggestions, and process improvement.

Please find Survey Gizmo’s Privacy Policy here: http://www.surveygizmo.com/privacy/

11. Have the third-party’s privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?

Yes

12. Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:

There are multiple other vendors that provide similar functionality compared to Survey Gizmo. A few include: Survey Monkey, Typeform, Google Forms, Client Heartbeat, Zoho Curvey, and Survey Planet.

13. Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?

Yes

14. How does the public navigate to the third-party Website or application from the OPDIV: (i) an external hyperlink from an HHS Website or Website operated on behalf of HHS; (ii) incorporated or embedded on HHS Website; or (iii) Other?

(iii) Other

14a. If other, please describe how the public navigates to the third-party Website or application:

A link will be provided to the website through an email invitation to the specified survey audience, which is sent from the survey administrator.

14b. If the public navigates to the third-party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?

No

15. Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?

Yes

15a. Provide a hyperlink to the OPDIV Privacy Policy:

http://www.nih.gov/about/privacy.htm

16. Is an OPDIV Privacy Notice posted on the third-party Website or application?

Yes

16a. Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy.

Yes

16b. Is the OPDIV’s Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available?

Yes

17. Is PII collected by the OPDIV from the third-party Website or application?

Yes

18. Will the third-party Website or application make PII available to the OPDIV?

Yes

19. Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:

For NIH purposes, email addresses are the only personal identifier which the public could make available to the OPDIV through the use of Survey Gizmo. The intended use of PII is to have an electronic location to send the survey to the specified user.

20. Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:

The only PII that will/could be shared are individual’s email addresses that are in the target survey audience. This PII will be shared to the survey administrator to confirm who has or has not completed the requested survey.

20a. If PII is shared, how are the risks of sharing PII mitigated?

The limited PII that is shared is only accessible to the survey administrator who holds all the Survey Gizmo credentials to sign into the platform. This limited accessibility to the information can be seen as a way to mitigate privacy risk.

21. Will the PII from the third-party Website or application be maintained by the OPDIV?

No

21a. If PII will be maintained, indicate how long the PII will be maintained:

N/A

22. Describe how PII that is used or maintained will be secured:

N/A

23. What other privacy risks exist and how will they be mitigated?

NIH cannot control and protect the content of a survey application distributed by a third party website outside of the NIH network. However, IC’s will post a privacy notice at the top of the survey in the summary section.

Survey Gizmo privacy policy states that they do not retain any outside information and that sharing of any survey related data is in the hands of the survey administrators.