attachment_9_PIA

06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Trials
Support Unit (CTSU
PIA SUMMARY AND APPROVAL COMBINED
PIA Summary
Is this a new PIA 2011? No
If this is an existing PIA, please provide a reason for revision: PIA Validation
1. Date of this Submission: 8/24/2012
2. OPDIV Name: NIH
3. Unique Project Identifier (UPI) Number: Requested
4. Privacy Act System of Records (SOR) Number (If response to Q.21 is Yes, a SORN
number is required for Q.4): 09-25-0200
5. OMB Information Collection Approval Number: Requested
6. Other Identifying Number(s): N/A
7. System Name (Align with system Item name): NIH NCI Cancer Trials Support Unit
(CTSU)
9. System Point of Contact (POC). The System POC is the person to whom questions about
the system and the responses to this PIA may be addressed: Mike Montello
10. Provide an overview of the system: The Cancer Trials Support Unit (CTSU) is a service
offered by the National Cancer Institute to enhance and facilitate access to cancer clinical trials
for clinical investigators in the United States and Canada. The CTSU maintains a broad menu of
trials developed by the adult cancer Cooperative Groups and other research consortia and works
with these organizations to offer patient enrollment, data collection, data quality management,
and enrollment reimbursement services to clinical sites entering patients in these trials. In
addition, the CTSU offers a regulatory support service to all adult cancer clinical trials by
collection of regulatory documents and maintenance of a national database of investigators and
sites. The CTSU also provides education and training for clinical site staff and clinical trials
promotion services to help increase enrollment in cancer trials. A large and complex information
technology infrastructure has been developed to support CTSU operations and exchange data
with other data centers involved in cancer research. Westat is the prime contractor on the project,
having two subcontractors, and working with numerous other organizations.
13. Indicate if the system is new or an existing one being modified: Existing
17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII
within any database(s), record(s), file(s) or website(s) hosted by this system? (Note: This
question seeks to identify any, and all, personal information associated with the system.
This includes any PII, whether or not it is subject to the Privacy Act, whether the
individuals are employees, the public, research subjects, or business partners, and whether
provided voluntarily or collected by mandate. Later questions will try to understand the
character of the data and its applicability to the requirements under the Privacy Act or
other legislation. Does/Will the system collect, maintain (store), disseminate and/or pass
through PII within any database(s), record(s), file(s) or website(s) hosted by this system?):
Yes

21. Is the system subject to the Privacy Act? (If response to Q.19 is Yes, response to Q.21
must be Yes and a SORN number is required for Q.4): Yes
23. If the system shares or discloses IIF please specify with whom and for what purpose(s):
CTSU shares NCI Investigator and NCI Associates data with CTEP-ESYS – a NCI sponsored
project and other Cooperative Groups, to increase participation in NCI sponsored cancer related
clinical trials.
With increased awareness and access to the trials information, CTEP intends to increase
physician and patient participation in the NCI sponsored trials.
CTSU shares this information, which may contain IIF, with lead research organizations for the
purpose of assuring patient safety, for scientific decision making, drug distribution, regulatory
oversight (i.e., investigator registration; trial audits) and to facilitate administrative operations.
CTSU also shares this information with the Cooperative Groups and with NCI Center for
Biomedical Informatics and Information Technology’s Clinical Data System (CBIIT-CDS).
Some of this information is available to staff at Cooperative Group member sites on a limited
basis.
Some of the information that CTSU shares with CTEP and CBIIT-CDS is also publicly available
elsewhere.
30. Please describe in detail: (1) the information the agency will collect, maintain, or
disseminate; (2) why and for what purpose the agency will use the information; (3) in this
description, explicitly indicate whether the information contains PII; and (4) whether
submission of personal information is voluntary or mandatory: Legislation authority is the
Public Health Service Act (42 U.S.C. 241, 242, 248, 282, 284, 285a-j, 285l-q, 287, 287b, 287c,
289a, 289c, and 44 U.S.C. 3101.).
The types of data used are scientific and health data about cancer clinical trials, including clinical
and pre-clinical data with associated regulatory and administrative supporting information.
Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials
sign an informed consent. Types of information available in the CTSU Enterprise include
protocols and protocol attributes, Investigator registration details, and non-IIF patient accrual
details. The information is used to assure patient safety, for scientific decision making, drug
distribution, regulatory oversight (i.e., investigator registration; trial audits) and to facilitate
administrative operations.
The CTSU collects and maintains various types of data.
Investigator and treatment site staff information is obtained from the CTEP-ESYS and
maintained in the CTSU. Cooperative Group staff use this data to maintain their membership
rosters. This data is used as part of the credentialing requirements for patient enrollments.
Protocol and regulatory information related to the member sites is collected and maintained in
the CTSU Enterprise.

This data is disseminated to Cooperative Groups to support patient enrollment and data
collection processes.
The CTSU also performs patient enrollments and will begin to collect demographic, eligibility
criteria data, and other enrollment required data as part of this process. This data is collected on
behalf of and shared with the organization that is leading a study.
For some studies, the CTSU performs the complete data management and collects/maintains the
clinical data collected for a study and disseminates it to the organization leading the study.
Patient participation in CTEP clinical trials is voluntary.
PII collected and maintained includes name, date of birth, social security number, mailing
address, phone number, medical records number, medical notes, and email address.
31. Please describe in detail any processes in place to: (1) notify and obtain consent from
the individuals whose PII is in the system when major changes occur to the system (e.g.,
disclosure and/or data uses have changed since the notice at the time of the original
collection); (2) notify and obtain consent from individuals regarding what PII is being
collected from them; and (3) how the information will be used or shared.
(Note: Please describe in what format individuals will be given notice of consent [e.g.,
written notice, electronic notice, etc.]) Users that access the systems must reregister on an
annual basis and any changes would be communicated through that process.
NCI Investigators furnish their information to CTEP in a written application. IIF related to the
Regulatory Support System (RSS)/Financial Management System (FMS) [JM1] are supplied to
the CTSU at the time of account request via a standard application.
Participating research organizations require trial participants to sign an authorization to use or
disclose identifiable health information for research. A subject cannot enroll in a study without
providing one of these release forms. They can withdraw the authorization at a later time, but
then must leave the study. The link to the form is https://www.ctsu.org/HIPAA/
32. Does the system host a website? (Note: If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of PII):
Yes
37. Does the website have any information or pages directed at children under the age of
thirteen?:
50. Are there policies or guidelines in place with regard to the retention and destruction of
PII? (Refer to the C&A package and/or the Records Retention and Destruction section in
SORN):
54. Briefly describe in detail how the IIF will be secured on the system using
administrative, technical, and physical controls.: CTSU data is maintained in a secure
database.

The following are in place as Management Controls:
· Rules of Behavior
· System Security Plan
· Configuration Management, Change Management Plans and Processes
· Disaster Recovery Plan
· Interconnection Security Agreement
The following are in place as Technical controls for CTSU:
· User ID and Passwords are required to login to CTSU applications
· The CTSU application is hosted within Westat Network boundaries and is protected by Westat
provided Perimeter Firewall and Intrusion Detection Systems
· SSL Encryption is enabled to access web based interfaces of CTSU modules, where necessary
· Proactive Systems Monitoring and Alerts Management
· Anti-virus, security updates and patching procedures
· Periodic vulnerability scans for CTSU systems – both internal and external
· Incidence Response Procedures
· System and Database Audit Trails and Logs
The following are in place as Operational controls for CTSU:
· Personnel Security
· Security Training/Clearance Process for all personnel working on CTSU
· Westat Hiring and Termination Process
· Non Disclosure Agreements for all employees working on CTSU
· All employees take/review NIH CIT Security Awareness Training on an annual basis
· Physical and Environmental Protection
· Visitor Log Procedures
· Backup Procedures
· Offsite Storage for Tapes
· Video Surveillance of Data Center
· AC Maintenance Process
· Contingency /Disaster Recovery Plan – tested regularly (last test on 11/2/08)
· Incidence Response Procedures
· Alerts and Scans
· Identification and Authentication
· User Account Management Process
· Role based user access to systems

· Password Change Policies (in sync with CTEP-ESYS)
· Procedures for handling lost/compromised passwords
· Audit Trails
The system falls under the Privacy Act System of Records Notice 09-25-0200
PIA Approval
PIA Reviewer Approval: Promote
PIA Reviewer Name: Suzy Milliard
Sr. Official for Privacy Approval: Promote
Sr. Official for Privacy Name: Karen Plá
Sign-off Date: 9/28/2012
Approved for Web Publishing: Yes
Date Published: <>
_____________________________________________________________________________