Save
v 1.47.4
Status Development Form Number Form Date 05/08/19
Question Answer
OPDIV: National Cancer Institute, Center for Cancer Research
PIA Unique Identifier:
2a Name: CCR Faculty Careers Application System
The subject of this PIA is which of the following?
3a Identify the Enterprise Performance Lifecycle Phase of the system.
3b Is this a FISMA-Reportable system?
Does the system include a Website or online
General Support System (GSS) Major Application
Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown
Development
Yes No
Yes
Accept
application available to and for the use of the general
public? No
Reject
Agency Contractor
POC Title Federal Lead of Software Solutions
Point of Contact (POC):
POC Name Mei Liu, PMP, CSM
Center for Biomedical
Accept
POC Organization Informatics and Information
Technology (CBIIT)
Reject
POC Email [email protected]
POC Phone 240-276-6921
Yes No
New Existing
Does the system have Security Authorization (SA)?
Accept Reject
8b Planned Date of Security Authorization |
November 15, 2019 Not Applicable |
|
11 Describe the purpose of the system. |
Application system designed to allow faculty recruitment candidates to apply for positions electronically thus eliminating the need to submit paper applications via the mail. The system also allows for search committee members to rate and rank candidates electronically thus eliminating the need for printing multiple copies of applications to distribute to committee members. |
Accept Reject |
Describe the type of information the system will The application form requires that the candidate provide: 12 collect, maintain (store), or share. (Subsequent email address, home phone, business phone, degree questions will identify if this information is PII and ask information, home address, business address, and the names about the specific data elements.) and contact information for three references. Additionally, the |
Accept Reject |
|
Provide an overview of the system and describe the Applicant information, including candidate's email address, 13 information it will collect, maintain (store), or share, home phone, business phone, degree information, home either permanently or temporarily. address, business address, the names and contact information |
Accept Reject |
|
14 Does the system collect, maintain, use or share PII? |
Yes No |
Accept Reject |
15 Indicate the type of PII that the system will collect or maintain. |
Social Security Number Date of Birth Name Photographic Identifiers Driver's License Number Biometric Identifiers Mother's Maiden Name Vehicle Identifiers E-Mail Address Mailing Address Phone Numbers Medical Records Number Medical Notes Financial Account Info Certificates Legal Documents Education Records Device Identifiers Military Status Employment Status Foreign Activities Passport Number Taxpayer ID Other... Names and contact information of references. Other...Resumes/CVs/supporting documents from applicants Other...Letters of Recommendation from references Other... Other... |
Accept Reject |
16 Indicate the categories of individuals about whom PII is collected, maintained or shared. |
Employees Public Citizens Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors Patients Other |
Accept Reject |
17 How many individuals' PII is in the system? 500-4,999 |
Accept Reject |
|
18 For what primary purpose is the PII used? The PII is used primarily to contact candidates. |
Accept Reject |
|
19 Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
N/A |
Accept Reject |
20 Describe the function of the SSN. N/A - SSN information is not collected. |
Accept Reject |
|
20a Cite the legal authority to use the SSN. N/A - SSN information is not collected. |
||
21 Identify legal authorities governing information use SORN 09-25-0168 and disclosure specific to the system and program. |
Accept Reject |
|
Are records on the system retrieved by one or more Yes 22 PII data elements? No |
Accept Reject |
|
Published: SORN 09-25-0168
Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being used Published: 22a to cover the system or identify if a SORN is being developed. Published:
In Progress |
||
Directly from an individual about whom the information pertains In-Person Hard Copy: Mail/Fax Email Online Other Government Sources Within the OPDIV Other HHS OPDIV 23 Identify the sources of PII in the system. State/Local/Tribal Foreign Other Federal Entities Other Non-Government Sources Members of the Public Commercial Data Broker Public Media/Internet Private Sector Other |
Accept Reject |
Users
Reviewing
Candidates
Administrators
Reviewing
Candidates
Developers
Migration/Maintenance
of Data
Contractors
Migration/Maintenance
of Data
Others
23a |
Identify the OMB information collection approval number and expiration date. |
0925-0046 07/31/2019 |
|
24 |
Is the PII shared with other organizations? |
Yes No |
Accept Reject |
25 |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. |
The Burden and Privacy Act statement is included on all public- facing pages of the system. |
Accept Reject |
26 |
Is the submission of PII by individuals voluntary or mandatory? |
Voluntary Mandatory |
Accept Reject |
27 |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. |
PII collected is candidate contact information only. Without collecting this data, we will be unable to contact candidates to provide updates on the status of their applications, contact for interviews, etc. |
Accept Reject |
28 |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at All applicants will be contacted via email if major changes the time of original collection). Alternatively, describe occur to disclosure and/or data uses, etc. why they cannot be notified or have their consent obtained. |
Accept Reject |
|
29 |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. |
Individuals may contact the application administrator via email to discuss concerns pertaining to PII. We will follow all processes and procedures as outlined in SORN 09-25-0168. |
Accept Reject |
30 |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. |
PII is only reviewed during the application review step, where applicants are given a score based on their resume/CV and references. |
Accept Reject |
31 |
Identify who will have access to the PII in the system and the reason why they require access.
|
Accept Reject |
|
32 |
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. |
Administrators and users may access PII. If an issue occurs in production, developers/contractors may need to gain access to the system containing PII to troubleshoot the issue. |
Accept Reject |
33 |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. |
Users are only allowed to access applicant PII for specific positions if they have been given access by the administrator. Developers/Contractors may be given temporary access by the administrator to troubleshoot any issues that occur in production. |
Accept Reject |
Identify training and awareness provided to personnel (system owners, managers, operators, N/A – there are no plans to provide additional training to contractors and/or program managers) using the personnel. Access to the system is very limited and 34 system to make them aware of their responsibilities responsibilities for the protection of information being for protecting the information being collected and collected and maintained is covered in annual security and maintained. privacy awareness training. |
Accept Reject |
Describe training system users receive (above and 35 beyond general security and privacy awareness N/A training). |
Accept Reject |
Do contracts include Federal Acquisition Regulation Yes 36 and other appropriate clauses ensuring adherence to privacy provisions and practices? No |
Accept Reject |
Describe the process and guidelines in place with 37 regard to the retention and destruction of PII. Cite Application records/PII information will be removed within six specific records retention schedules. months of filling the vacancy. |
Accept Reject |
Describe, briefly but with specificity, how the PII will 38 be secured in the system using administrative, Users may only access applicant data if they have permission technical, and physical controls. to do so. Administrators control user access. |
Accept Reject |
39 Identify the publicly-available URL: https://service.cancer.gov/ccr-careers |
Accept Reject |
Yes 40 Does the website have a posted privacy notice? No |
Accept Reject |
Does the website use web measurement and Yes 41 customization technology? No |
Accept Reject |
Does the website have any information or pages Yes 42 directed at children under the age of thirteen? No |
Accept Reject |
Does the website contain links to non- federal Yes 43 government websites external to HHS? No |
Accept Reject |
Is a disclaimer notice provided to users that follow Yes 43a external links to websites not owned or operated by HHS? No |
|
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
|
Reviewer Questions Answer |
|
Yes 1 Are the questions on the PIA answered correctly, accurately, and completely? No |
Accept Reject |
Reviewer Notes |
|
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose Yes 2 justified by appropriate legal authorities? No |
Accept Reject |
Reviewer Notes |
|
Do system owners demonstrate appropriate understanding of the impact of the PII in the Yes 3 system and provide sufficient oversight to employees and contractors? No |
Accept Reject |
|
Reviewer Questions |
Answer |
|
|
Reviewer Notes |
||||
4 |
Does the PIA appropriately describe the PII quality and integrity of the data? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
5 |
Is this a candidate for PII minimization? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
6 |
Does the PIA accurately identify data retention procedures and records retention schedules? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
7 |
Are the individuals whose PII is in the system provided appropriate participation? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
8 |
Does the PIA raise any concerns about the security of the PII? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
9 |
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
10 |
Is the PII appropriately limited for use internally and with third parties? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
11 |
Does the PIA demonstrate compliance with all Web privacy requirements? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
12 |
Were any changes made to the system because of the completion of this PIA? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
General Comments |
|
OPDIV Senior Official for Privacy Signature
HHS Senior Agency Official for Privacy
v 1.47.4
Status Form Number Read Only Form Date Read Only
Question Answer
OPDIV: Read Only - OPDIV
TPWA Unique Identifier (UID): Read Only - TPWA UID
TPWA Name: Read Only - TPWA Name
Is this a new TPWA?
Yes No
4a Please provide the reason for revision
Will the use of a third-party Website or application
create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy
Act?
5a Indicate the SORN number (or identify plans to put one in place.)
Will the use of a third-party Website or application
create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
Indicate the OMB approval number and approval 6a number expiration date (or describe the plans to
obtain OMB clearance.)
Does the third-party Website or application contain Federal Records?
SORN Number:
If not published:
OMB Approval Number Expiration Date Explanation
Yes No
Yes No
Yes No
Accept Reject
Accept Reject
Accept Reject
POC Title
Point of Contact (POC):
POC Name
POC Organization POC Email
Accept Reject
POC Phone
Describe the specific purpose for the OPDIV use of the third-party Website or application:
Accept Reject
Have the third-party privacy policies been reviewed 10 to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? |
Yes No |
Accept Reject |
Describe alternative means by which the public can 11 obtain comparable information or services if they choose not to use the third-party Website or application: |
|
Accept Reject |
Does the third-party Website or application have 12 appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? |
Yes No |
Accept Reject |
13 How does the public navigate to the third party Website or application from the OPIDIV? |
|
Accept Reject |
13a Please describe how the public navigate to the third- party website or application: |
||
If the public navigate to the third-party website or 13b application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? |
Yes No |
|
Has the OPDIV Privacy Policy been updated to 14 describe the use of a third-party Website or application? |
Yes No |
Accept Reject |
14a Provide a hyperlink to the OPDIV Privacy Policy: |
||
15 Is an OPDIV Privacy Notice posted on the third-party Website or application? |
Yes No |
Accept Reject |
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII 15a that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy |
Yes No |
|
Is the OPDIV's Privacy Notice prominently displayed 15b at all locations on the third-party Website or application where the public might make PII available? |
Yes No |
|
16 Is PII collected by the OPDIV from the third-party Website or application? |
Yes No |
Accept Reject |
17 Will the third-party Website or application make PII available to the OPDIV? |
Yes No |
Accept Reject |
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or 18 the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: |
|
Accept Reject |
Describe the type of PII from the third-party Website 19 or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: |
|
|
Accept Reject |
|
19a If PII is shared, how are the risks of sharing PII mitigated? |
||||
20 Will the PII from the third-party Website or application be maintained by the OPDIV? |
Yes No |
|
Accept Reject |
|
20a If PII will be maintained, indicate how long the PII will be maintained: |
||||
21 Describe how PII that is used or maintained will be secured: |
|
|
Accept Reject |
|
22 What other privacy risks exist and how will they be mitigated? |
|
|
Accept Reject |
|
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
||||
Reviewer Questions |
|
Answer |
|
|
1 |
Are the responses accurate and complete? |
|
Yes No |
Accept Reject |
Reviewer Notes |
||||
2 |
Is the TPWA compliant with all M-10-23 requirements, including appropriate branding and alerts? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
3 |
Has the OPDIV posted an updated privacy notice on the TPWA and does it contain the five required elements? |
Yes No |
Accept Reject |
|
Reviewer Notes |
||||
4 |
Does the PIA clearly identify PII made available and/or collected by the TPWA? |
|
Yes No |
Accept Reject |
Reviewer Notes |
||||
5 |
Is the handling of PII appropriate? |
|
Yes No |
Accept Reject |
Reviewer Notes |
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
|||
General Comments |
|
|
|
OPDIV Senior Official for Privacy Signature |
HHS Senior Agency Official for Privacy |
Page
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Hirsch, Quinn N. EOP/OMB |
File Modified | 0000-00-00 |
File Created | 2021-01-15 |