Pia

Attachment 6 - PrivacyImpactAssessmentForm_FINAL_050819.docx

Formative Research, Pretesting, and Customer Satisfaction of NCI's Communication and Education Resources (NCI)

PIA

OMB: 0925-0046

Document [docx]
Download: docx | pdf

Shape1 Shape2

Save


Privacy Impact Assessment Form

v 1.47.4


Status Development Form Number Form Date 05/08/19


Question Answer


  1. OPDIV: National Cancer Institute, Center for Cancer Research

  2. PIA Unique Identifier:


2a Name: CCR Faculty Careers Application System






  1. The subject of this PIA is which of the following?





3a Identify the Enterprise Performance Lifecycle Phase of the system.


3b Is this a FISMA-Reportable system?


Does the system include a Website or online


General Support System (GSS) Major Application

Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown

Development


Yes No

Yes

















Accept

  1. application available to and for the use of the general

public? No

Reject


  1. Shape4

    Agency

    Contractor

    Identify the operator.



POC Title Federal Lead of Software Solutions




  1. Point of Contact (POC):

POC Name Mei Liu, PMP, CSM


Center for Biomedical



Accept

POC Organization Informatics and Information

Technology (CBIIT)

Reject


POC Email [email protected]


POC Phone 240-276-6921

  1. Shape5 Shape6

    Yes

    No

    New

    Existing

    Is this a new or existing system?

  1. Shape7 Does the system have Security Authorization (SA)?

Accept Reject

Shape8 Shape9 Shape10 Shape11 Shape12 Shape13 Shape14 Shape15 Shape16 Shape17 Shape18 Shape19 Shape20 Shape21 Shape22 Shape23 Shape24


8b Planned Date of Security Authorization

November 15, 2019

Not Applicable






11 Describe the purpose of the system.

Application system designed to allow faculty recruitment candidates to apply for positions electronically thus eliminating the need to submit paper applications via the mail. The system also allows for search committee members to rate and rank candidates electronically thus eliminating the need for printing multiple copies of applications to distribute to committee members.




Accept Reject

Describe the type of information the system will The application form requires that the candidate provide:

12 collect, maintain (store), or share. (Subsequent email address, home phone, business phone, degree

questions will identify if this information is PII and ask information, home address, business address, and the names

about the specific data elements.) and contact information for three references. Additionally, the

Accept Reject

Provide an overview of the system and describe the Applicant information, including candidate's email address,

13 information it will collect, maintain (store), or share, home phone, business phone, degree information, home

either permanently or temporarily. address, business address, the names and contact information

Accept Reject


14 Does the system collect, maintain, use or share PII?

Yes

No

Accept

Reject













15 Indicate the type of PII that the system will collect or maintain.

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

Education Records Device Identifiers

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID

Other... Names and contact information of references. Other...Resumes/CVs/supporting documents from applicants Other...Letters of Recommendation from references

Other...

Other...












Accept Reject




16 Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

Public Citizens

Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors

Patients

Other




Accept Reject

Shape25 Shape26 Shape27 Shape28 Shape29 Shape30 Shape31 Shape32 Shape33 Shape34 Shape35 Shape36 Shape37 Shape38 Shape39 Shape40 Shape41 Shape42 Shape43

17 How many individuals' PII is in the system? 500-4,999

Accept

Reject


18 For what primary purpose is the PII used? The PII is used primarily to contact candidates.

Accept

Reject

19 Describe the secondary uses for which the PII will be used (e.g. testing, training or research)


N/A

Accept

Reject


20 Describe the function of the SSN. N/A - SSN information is not collected.

Accept Reject


20a Cite the legal authority to use the SSN. N/A - SSN information is not collected.

21 Identify legal authorities governing information use SORN 09-25-0168 and disclosure specific to the system and program.

Accept

Reject

Are records on the system retrieved by one or more Yes

22 PII data elements? No

Accept

Reject


Published: SORN 09-25-0168



Identify the number and title of the Privacy Act

System of Records Notice (SORN) that is being used Published: 22a to cover the system or identify if a SORN is being

developed.

Published:


In Progress

Directly from an individual about whom the information pertains

In-Person Hard Copy: Mail/Fax

Email Online

Other Government Sources

Within the OPDIV Other HHS OPDIV

23 Identify the sources of PII in the system. State/Local/Tribal

Foreign Other Federal Entities

Other Non-Government Sources

Members of the Public Commercial Data Broker Public Media/Internet

Private Sector

Other












Accept Reject

Shape66 Shape44 Shape45 Shape46 Shape47 Shape48 Shape49 Shape50 Shape51 Shape52 Shape53 Shape54 Shape55 Shape56 Shape57 Shape58 Shape59 Shape60 Shape61 Shape62 Shape63 Shape64 Shape65

Users

Reviewing Candidates

Administrators

Reviewing Candidates

Developers

Migration/Maintenance of Data

Contractors

Migration/Maintenance of Data

Others





23a

Identify the OMB information collection approval number and expiration date.

0925-0046

07/31/2019



24


Is the PII shared with other organizations?

Yes

No

Accept

Reject


25

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Burden and Privacy Act statement is included on all public- facing pages of the system.

Accept

Reject


26

Is the submission of PII by individuals voluntary or mandatory?

Voluntary

Mandatory

Accept

Reject



27

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

PII collected is candidate contact information only. Without collecting this data, we will be unable to contact candidates to provide updates on the status of their applications, contact for interviews, etc.


Accept Reject




28

Describe the process to notify and obtain consent

from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure

and/or data uses have changed since the notice at All applicants will be contacted via email if major changes

the time of original collection). Alternatively, describe occur to disclosure and/or data uses, etc.

why they cannot be notified or have their consent obtained.



Accept Reject



29

Describe the process in place to resolve an

individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.


Individuals may contact the application administrator via email to discuss concerns pertaining to PII. We will follow all processes and procedures as outlined in SORN 09-25-0168.


Accept Reject


30

Describe the process in place for periodic reviews of

PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII is only reviewed during the application review step, where applicants are given a score based on their resume/CV and references.

Accept Reject







31


Shape67 Shape68


Shape69 Shape70

Identify who will have access to the PII in the system and the reason why they require access.


Shape71 Shape72


Shape73







Accept Reject


32

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Administrators and users may access PII. If an issue occurs in production, developers/contractors may need to gain access to the system containing PII to troubleshoot the issue.

Accept Reject



33


Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Users are only allowed to access applicant PII for specific positions if they have been given access by the administrator. Developers/Contractors may be given temporary access by the administrator to troubleshoot any issues that occur in production.


Accept Reject

Shape74 Shape75 Shape76 Shape77 Shape78 Shape79 Shape80 Shape81 Shape82 Shape83 Shape84 Shape85 Shape86 Shape87 Shape88 Shape89 Shape90 Shape91 Shape92 Shape93 Shape94 Shape95 Shape96 Shape97 Shape98 Shape99

Identify training and awareness provided to

personnel (system owners, managers, operators, N/A there are no plans to provide additional training to

contractors and/or program managers) using the personnel. Access to the system is very limited and

34 system to make them aware of their responsibilities responsibilities for the protection of information being

for protecting the information being collected and collected and maintained is covered in annual security and

maintained. privacy awareness training.



Accept Reject

Describe training system users receive (above and

35 beyond general security and privacy awareness N/A training).

Accept Reject

Do contracts include Federal Acquisition Regulation Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? No

Accept Reject

Describe the process and guidelines in place with

37 regard to the retention and destruction of PII. Cite Application records/PII information will be removed within six

specific records retention schedules. months of filling the vacancy.

Accept Reject

Describe, briefly but with specificity, how the PII will

38 be secured in the system using administrative, Users may only access applicant data if they have permission

technical, and physical controls. to do so. Administrators control user access.

Accept Reject


39 Identify the publicly-available URL: https://service.cancer.gov/ccr-careers

Accept

Reject

Yes

40 Does the website have a posted privacy notice?

No

Accept

Reject

Does the website use web measurement and Yes

41 customization technology? No

Accept

Reject

Does the website have any information or pages Yes

42 directed at children under the age of thirteen? No

Accept Reject

Does the website contain links to non- federal Yes

43 government websites external to HHS? No

Accept

Reject

Is a disclaimer notice provided to users that follow Yes 43a external links to websites not owned or operated by

HHS? No



REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Accept

Reject

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose Yes

2 justified by appropriate legal authorities? No

Accept

Reject

Reviewer

Notes

Do system owners demonstrate appropriate understanding of the impact of the PII in the Yes

3 system and provide sufficient oversight to employees and contractors? No

Accept

Reject

Shape100 Shape101 Shape102 Shape103 Shape104 Shape105 Shape106 Shape107 Shape108 Shape109 Shape110 Shape111 Shape112 Shape113 Shape114 Shape115 Shape116 Shape117 Shape118


Reviewer Questions

Answer


Reviewer

Notes


4


Does the PIA appropriately describe the PII quality and integrity of the data?

Yes

No

Accept

Reject

Reviewer

Notes


5


Is this a candidate for PII minimization?

Yes

No

Accept

Reject

Reviewer

Notes


6


Does the PIA accurately identify data retention procedures and records retention schedules?

Yes

No

Accept

Reject

Reviewer

Notes


7


Are the individuals whose PII is in the system provided appropriate participation?

Yes

No

Accept

Reject

Reviewer

Notes


8


Does the PIA raise any concerns about the security of the PII?

Yes

No

Accept

Reject

Reviewer

Notes

9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?

Yes

No

Accept

Reject

Reviewer

Notes


10


Is the PII appropriately limited for use internally and with third parties?

Yes

No

Accept

Reject

Reviewer

Notes


11


Does the PIA demonstrate compliance with all Web privacy requirements?

Yes

No

Accept

Reject

Reviewer

Notes


12


Were any changes made to the system because of the completion of this PIA?

Yes

No

Accept

Reject

Reviewer

Notes




General Comments


Shape119



OPDIV Senior Official for Privacy Signature

HHS Senior Agency Official for Privacy



Third-Party Website Assessment PIA Form

v 1.47.4


Status Form Number Read Only Form Date Read Only


Question Answer


  1. OPDIV: Read Only - OPDIV

  2. TPWA Unique Identifier (UID): Read Only - TPWA UID

  3. TPWA Name: Read Only - TPWA Name


  1. Is this a new TPWA?







Yes No


4a Please provide the reason for revision


Will the use of a third-party Website or application

  1. create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy

Act?


5a Indicate the SORN number (or identify plans to put one in place.)


Will the use of a third-party Website or application

  1. create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?


Indicate the OMB approval number and approval 6a number expiration date (or describe the plans to

obtain OMB clearance.)



  1. Does the third-party Website or application contain Federal Records?






SORN Number:


If not published:





OMB Approval Number Expiration Date Explanation


Yes No






Yes No







Yes No


Accept Reject






Accept Reject







Accept Reject

POC Title




  1. Point of Contact (POC):

POC Name


POC Organization POC Email


Accept Reject

POC Phone


  1. Shape120 Describe the specific purpose for the OPDIV use of the third-party Website or application:

Accept Reject

Shape121 Shape122 Shape123 Shape124 Shape125 Shape126 Shape127 Shape128 Shape129 Shape130 Shape131 Shape132 Shape133 Shape134

Have the third-party privacy policies been reviewed

10 to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?

Yes

No

Accept

Reject

Describe alternative means by which the public can

11 obtain comparable information or services if they choose not to use the third-party Website or

application:


Accept Reject

Does the third-party Website or application have

12 appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?

Yes

No

Accept

Reject

13 How does the public navigate to the third party Website or application from the OPIDIV?


Accept

Reject

13a Please describe how the public navigate to the third- party website or application:

If the public navigate to the third-party website or

13b application via an external hyperlink, is there an alert to notify the public that they are being directed to a

nongovernmental Website?

Yes No


Has the OPDIV Privacy Policy been updated to

14 describe the use of a third-party Website or application?

Yes No

Accept Reject

14a Provide a hyperlink to the OPDIV Privacy Policy:

15 Is an OPDIV Privacy Notice posted on the third-party Website or application?

Yes No

Accept Reject

Confirm that the Privacy Notice contains all of the

following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII

15a that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy





Yes No


Is the OPDIV's Privacy Notice prominently displayed

15b at all locations on the third-party Website or application where the public might make PII

available?

Yes No


16 Is PII collected by the OPDIV from the third-party Website or application?

Yes

No

Accept

Reject

17 Will the third-party Website or application make PII available to the OPDIV?

Yes

No

Accept

Reject

Describe the PII that will be collected by the OPDIV

from the third-party Website or application and/or

18 the PII which the public could make available to the OPDIV through the use of the third-party Website or

application and the intended or expected use of the PII:




Accept Reject

Shape135 Shape136 Shape137 Shape138 Shape139 Shape140 Shape141 Shape142 Shape143 Shape144 Shape145 Shape146 Shape147 Shape148 Shape149 Shape150 Shape151 Shape152 Shape153

Describe the type of PII from the third-party Website

19 or application that will be shared, with whom the PII will be shared, and the purpose of the information

sharing:



Accept Reject

19a If PII is shared, how are the risks of sharing PII mitigated?

20 Will the PII from the third-party Website or application be maintained by the OPDIV?

Yes

No


Accept

Reject

20a If PII will be maintained, indicate how long the PII will be maintained:

21 Describe how PII that is used or maintained will be secured:



Accept

Reject

22 What other privacy risks exist and how will they be mitigated?



Accept

Reject


REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions


Answer



1


Are the responses accurate and complete?


Yes

No

Accept

Reject

Reviewer

Notes


2

Is the TPWA compliant with all M-10-23 requirements, including appropriate branding and alerts?

Yes

No

Accept

Reject

Reviewer

Notes


3

Has the OPDIV posted an updated privacy notice on the TPWA and does it contain the five required elements?

Yes

No

Accept

Reject

Reviewer

Notes


4


Does the PIA clearly identify PII made available and/or collected by the TPWA?


Yes

No

Accept

Reject

Reviewer

Notes


5


Is the handling of PII appropriate?


Yes

No

Accept

Reject

Reviewer

Notes

Shape154 Shape155


REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.


General Comments


Shape156



OPDIV Senior Official for Privacy Signature

HHS Senior Agency Official for Privacy


Shape3

Page 4 of 10


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorHirsch, Quinn N. EOP/OMB
File Modified0000-00-00
File Created2021-01-15

© 2024 OMB.report | Privacy Policy