Attachment 6: Privacy Impact Assessment (PIA)
06.3 HHS PIA Summary for Posting (Form) / NIH NCI PLCO Research
Database (PLCO)
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 7/30/2010
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Not Applicable
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): No
5. OMB Information Collection Approval Number: No
6. Other Identifying Number(s): NCI-59
7. System Name (Align with system Item name): NIH NCI PLCO Research Database (PLCO)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Dorothy Sullivan
10. Provide an overview of the system: The system is used for monitoring, quality control, and
analysis of the PLCO trial.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
No
21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): No
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
No IIF in the system
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: This sytem is used to store
and monitor data from the participants in the PLCO and NLST prevention trials. Such data
consists of results of screening tests such as chest x-rays, serum PSA and CA-125,
sigmoisoscopy, etc. Medical history and other questionaire information is also stored. To protect
confidentially, the data in this system is referenced by a randomly assigned participant ID code
only. The actual identity of the participant is known only to the screening center at which these
tests were conducted. Since these participants are treated as clinical patients at these centers,
their true identity is considered confidential, as with any patient, and is protected in accordance
with HIPPA regulations to which all of these screening centers must adhere.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) No IIF.
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII): No
37. Does the website have any information or pages directed at children under the age of
thirteen?: No
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN): No
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: Information is secured using
username/passwords, least privilege, separation of duties, an intrusion detection system,
firewalls, locks, badge access, background investigations. A comprehensive IRT capability is
also maintained.
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2010
Approved for Web Publishing: Yes
Date Published: February 22, 2011
| File Type | application/msword |
| Author | Vivian Horovitch-Kelley |
| Last Modified By | Kristen Keating |
| File Modified | 2015-03-25 |
| File Created | 2012-09-25 |