Privacy Impact Assessment

Attachment 7
U.S. Nuclear Medicine Technologists Study
Privacy Impact Assessment

v 1.43

Status

I

I

Form Number

IRead Only

Form Date

Question

Answer

OPDIV:
2

PIA Unique Identifier:

2a

Name:

3

r
r
r
r

The subject of this PIA is which of the following?

General Support System (GSS)
Major Application
Minor Application (stand-alone)
Minor Application (child)

r Electronic Information Collection
3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

I

(e' Unknown

Operations and Mainten.ance
.

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

rYes
(e No

pac Title

Staff Scientist/Contracting
Officer Representative

pac Name

IMichele M. Doody

Point of Contact (PaC):

pac Email
pac Phone
7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8a

Date of Security Authorization

Page 1 of 10


The purpose of the system is to collect and store all data
related to the u.s. Nuclear Medicine Technologists Study,
including the cohort master file, questionnaire files, dosimetry
files, medical outcome files, follow-up tracking and result files.

11

Describe the purpose of the system.

12

The system will collect and maintain information on personal
identifiers, demographic characteristics, nuclear medicine
Describe the type of information the system will
technology certification and work histories, medical outcomes,
collect, maintain (store), or share. (Subsequent
disease risk factors, radiation doses, follow-up, vital status, and
questions will identify if this information is PII and ask
causes of death. De-identified data will be shared with NCI and
about the specific data elements.)
other investigators to evaluate disease risks associated with
radiation or other factors.

13

Provide an overview of the system and describe the
information it will collect, maintain (store), or share,
either permanently or temporarily.

The system collects and maintains information on a cohort of
u.s. nuclear medicine technologists certified by the Nuclear
Medicine Technology Certification Board or the American
Registry of Radiologic Technologists during 1981-2016. The
primary study objectives are to assess cancer and other disease
risks associated with chronic fractionated occupational
exposures to high-energy radioisotopes. Information obtained
from the certification organizations may include names,
addresses, dates of birth, gender, race, types and dates of
certification, email addresses, and social security numbers if
available. Study participants will be asked to provide on a
baseline computer-assisted web interview calendar-specific
nuclear medicine work histories (procedures performed, other
work practices, radiation protection measures), cancer and
other disease outcomes, disease risk factors (such as cigarette
smoking, reproductive factors, personal medical radiation
procedures). The study cohort will be followed for incident
cancers via linkage with state cancer registries and for cancer
and other causes of death through linkage with the National
Death Index. Badge dose records will be obtained through
linkage with a commercial dosimetry provider and used to
estimate occupational doses for individual technologists for
each year worked. The data will be stored for as long as cohort
follow-up and active data analysis contin ues. De-identified
data will be shared with NCI and other investigators to
evaluate disease risks associated with radiation or other
factors. An initial feasibility study will be conducted on a
sample of 1,500 out of an estimated 25,000 eligible nuclear
medicine technologists.

14

Does the system collect, maintain, use or share PII?

(i' Yes

C'No

Page 2 of 10

lXJ

::>oClal ::>ecurlty I\lumoer

uate ot tslrtn

~ Name

D

Photographic Identifiers

o
o

o

Biometric Identifiers

Driver's License Number

D Vehicle Identifiers
IZI Mailing Address

Mother's Maiden Name

IZI E-Mail Address

o

Medical Records Number

o

Legal Documents

Education Records

D

Device Identifiers

Military Status

~ Employment Status

Foreign Activities

D

Taxpayer 10

IOther...

I

IMedical outcomes and
diagnosis dates

IIOther...

ICauses and dates of death

IIOther...

I
I

o
o
15

Indicate the type of PII that the system will collect or

maintain.


Indicate the categories of individuals about whom PII
is collected, maintained or shared.

o

How many individuals' PII is in the system?

Passport Number

D Employees
D Public Citizens
D Business Partners/Contacts (Federal, state, local agencies)
D Vendors/Suppliers/Contractors
D Patients

IU.s. nuclear medicine technologists

Other
17

o Financial Account Info

Medical Notes

~ Certificates

D
D
D

16

Phone Numbers

I,

I

0,000-49,999

I

18

For what primary purpose is the PII used?

The PII is needed for cohort follow-up. Questionnaires will be
administered to collect information on occupational and
personal medical radiation exposures, cancer and other
disease risk factors, and cancer and other medical outcomes.
The cohort will also be linked with cancer registries to identify
unreported cancers and obtain detailed histology data on
reported cancers, the Social Security Adrninistration (SSA) to
determine vital status, the National Center for Health Statistics
(NCHS), National Death Index (NDI) to obtain causes of death
for decedents, and a commercial dosimetry provider
(Landauer, Inc.) to obtain radiation badge dose readings.

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

INone
I

r·

ITh

20

Describe the function of the SSN.

~(

J

luerllllier

...

..............

I~'"

Ir-I

,...

UU;)IIIIC.lY

­

Page 3 of 10

Cite the legal authority to use the SSN.

The Social Security Administration program Service to
Epidemiological Researchers to Provide Vital Status Data on
Subjects of Health Research, OMB No. 0960-0701 is authorized
under Section 205(r) of the Social Security Act. This
authorization allows the investigators to provide the subje~ts
name, date of birth, sex, and SSN. Linkage with the SSA
records to determine who is alive and deceased is a cost
effective method of verifying vital status. Vital status is
necessary to assess eligibility for continued contact and follow­
up, linkage with state cancer registries, and linkage with
National Center for Health Statistics to evaluate cause specific
mortality.
Th is study is authorized under Section 411 of the Public Health
Service Act [42 USC 285a]

21

Public Health Service Act [42 USC 242m, Section 308(d)]
Identify legal authorities governing information use Privacy Act of 1974
Minnesota Government Data Practices Act (MGDPA), Chapter
and disclosure specific to the system and program.
13

rYes

22	 Are records on the system retrieved by one or more
PII data elements?

~No

Published:
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
to cover the system or identify if a SORN is being
developed.

INIH Systems of Record 09-25-0200 [Clinical,

01

Published:
Published:

D

In Progress

Directly from an individual about whom the
information pertains
In-Person
D

D
D

Hard Copy: Mail/Fax

~

Online

Email

D

Other

Government Sources

D
23

Identify the sources of PII in the system.

fZ]

Within the OPDIV
Other HHS OPDIV

~

State/LocalITri ba I

D

Foreign

o

Other Federal Entities

D

Other

Non-Government Sources

Identify the OMS information collection approval
number and expiration date.

~

Members of the Public

D
D

Commercial Data Broker

IX]

Private Sector

D

Other

Public Media/Internet

10
II CVI::»IUII

rell
tJCllUlllYJ

Page 4 of 10

(4='

24

y

Is the PII shared with other organizations?

r'No

JZ) Within HHS
PII will be shared with the NCHS/NDI to obtain causes of
death for decedents.
Other Federal

IZJ Agency/Agencies
PII will be shared with SSA to obtain information on vital
status.
24a Identify with whom the PII is shared or disclosed and
for what purpose.

~

State or Local
Agency/Agencies

PII will be shared with state cancer registries to identify
unreported incident cancers and to obtain detailed histology
data for registry-identified and self-reported cancers.

[gl Private Sector
PII will be shared with a commercial dosimetry provider
(Landauer, Inc.) to obtain badge dose readings.

2

Development of data security/transfer agreements between
UMN and the certification boards (ARRT and NMTCB) is in
Describe any agreements in place that authorizes the
process. Before any data linkages for individual studies, the
information sharing or disclosure (e.g. Computer
SSA requires that a Memorandum of Understanding be
Matching Agreement, Memorandum of
established between the NCI and SSA, and the NCHS requires
Understanding (MOU), or Information Sharing
submission and approval of an NDI application. A long­
Agreement (ISA)).
standing agreement is in place with Landauer, Inc. to provide
dosimetry records for medical radiation workers.
Procedures are in place to ensure the safety and integrity of all
data and programs within the UMN control. These procedures
include virus prevention, hardware and software configuration,
management, disaster recovery, and incident response.

24c Describe the procedures for accounting for
disclosures

25

Describe the process in place to notify individuals
that their personal information will be collected. If
no prior notice is given, explain the reason.

26	 Is the submission of PII by individuals voluntary or

mandatory?

In the event of a computer break-in, network intrusion, or data
theft, the UMN policy for Network/Computer Incident
Response establishes procedures to follow. Decisions will be
made regarding the level of response required and the
appropriate actions necessary to preserve evidence of the
intrusion while restoring service to the affected entities.
Eligible nuclear medicine technologists will be sent a
recruitment email inviting them to participate in the study.
The email will include a brief description of the study, an
individual-specific link and password to access the computer­
assisted web interview, and a consent information sheet. The
consent information sheet provides introductory and
background information about the study, the procedures
involved, the potential risks and benefits, the authority for
collecting the data, data privacy, the voluntary nature of the
study, and contacts to obtain additional information.
(e. Voluntary

C::

IVI,.,	

1.-11

Y

Page 5 of 10

27

28

Individuals can opt-out of the study by contacting the study
office, by not logging in to the computer-assisted web
interview, or by indicating on the consent form that they do
Describe the method for individuals to opt-out of the
not consent to complete the questionnaire. Any individual
collection or use of their Plio If there is no option to
who agrees to participate can withdraw from the study at any
object to the information collection, provide a
time. Upon request, data already collected can be withdrawn
reason.
from the database but cannot be withdrawn from analyses
that are completed or are underway. This information is
provided in the consent form.
All study activities are reviewed and approved annually by the
institution review boards (lRB) at NCI and UMN. Before any
Describe the process to notify and obtain consent
major changes are made to the system, the study team will
from the individuals whose PII is in the system when
seek NCI and UMN IRB approvals for the changes. IRB
major changes occur to the system (e.g., disclosure
recommendations regarding subject notification and/or re­
and/or data uses have changed since the notice at
consent based on the specific nature of changes in disclosure
the time of original collection). Alternatively, describe
or data use will be implemented. If either IRB require a change
why they cannot be notified or have their consent
in the consent, participants will be re-contacted by email in the
obtained.
same manner that they were recruited to participate in the
study.
There is a section in the study consent information sheet
included with the study recruitment email and in the consent
form included at the beginning of the computer-assisted web
interview that reads: "Contacts and Questions: This study is
being conducted by Bruce H. Alexander, PhD, in the School of
Public Health at the University of Minnesota, in collaboration
with the National Cancer Institute, the American Registry of
Radiologic Technologists (ARRT), and the Nuclear Medicine
Technologists Certification Board (NMTCB). If you have any
questions about this study or about your rights as a study
participant, please contact the research staff at the University
of Minnesota. You may call (800) 447-6466 or email
[email protected]. If you have any questions or concerns
regarding this study and would like to talk to someone other
than the researcher(s), you are encouraged to contact the
Research Subjects' Advocate Line, D528 Mayo, 420 Delaware St
SE, Minneapolis, MN 55455; (612) 625-1650."

29

The UMN will review all reported concerns on a case-by-case
Describe the process in place to resolve an
basis.
individual's concerns when they believe their PII has
been inappropriately obtained, used, or disclosed, or
The UMN follows these IRB gUidelines:
that the PII is inaccurate. If no process exists, explain
Federal regulations [45CFR46.1 03(b)(5) and 21 CFR56.1 08(b)(1)]
why not.
require the IRB to ensure that investigators promptly report
"any unanticipated problems involving risk to subjects or
others" (UPIRTSO). The IRB defines UPIRTSO as any problem or
event which in the opinion of the local investigator was
unanticipated, reflects new or increased risk to the subjects
and was possibly related to the research procedures. The IRB
makes the determination of whether the unanticipated
problem meets the criteria as a UPIRTSO.
The Principal Investigator will provide his or her opinion of
whether an event meets UPIRTSO criteria when reporting to
the IRB. The IRB will determine whether the event reported fits
the criteria for UPIRTSO and if any further changes to the
approved study should be made as a result of the report. All
problems/events that do not meet the IRB's requirements for
prompt reporting will be reported to the IRB in summary form
at the time of continuing annual review. The IRB has created a
Non UPIRTSO Adverse Event Log template for researchers to
use to track these events.

Page 6 of 1C

30

Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

All of the Windows workstations log user access via Active
Directory. Access logs are reviewed daily for anomalies. An
automated reporting tool is used to analyze the server logs to
look for abnormal activity. Access is only available through
Local Area Network (LAN). A firewall is in place that logs all
incoming and outgoing connections to the LAN. This log is
maintained and checked for evidence of attempted
unauthorized access to the LAN.
UMN computer center staff performs weekly security checks of
the computer center resources using the Qualys vulnerability
scanner.

~ Users

31

Identify who will have access to the PII in the system
and the reason why they require access.

The University of Minnesota (UMN) is'
the coordinating center for this study.
Only UMN staff working directly on this
study will have access to the database
where the PII will be stored. Individual
staff members will only have to access
to the specific PII needed to perform
their specific tasks.

..

~ Administrators

.

To perform backups and disaster
recovery functions.

1

D Developers
D Contractors
D Others

32

The University of Minnesota deploys Active Directory (AD)
Describe the procedures in place to determine which technology with Shibboleth to authorize and authenticate user
system users (administrators, developers,
access to network resources. Depending on the study, access
contractors, etc.) may access PII.
may also include IP address authentication. All computers
require a University account to log in.

33

Describe the methods in place to allow those with
access to PII to only access the minimum amount of
information necessary to perform their job.

The UMN study management team determines the type and
scope of data access per individual staff member. Each staff
member has access only to the specific PII needed to perform
their specific tasks. User account privileges are configured
accordingly by system administrators. PII will be shared with
the SSA to obtain information on vital status and with the
National Center for Health Statistics (NCHS) to obtain causes of
death for decedents from NDI. These privileges are removed
from accounts when staff leave the study. Also, accounts are
automatically locked after three failed login attempts and can
only be unlocked by a system administrator. The UIS
department notifies the Division of any questionable security
behavior for immediate resolution.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
system to make them aware of their responsibilities
for protecting the information being collected and
Id
_d' ed

UMN study staff must complete a series of online courses on
data security and privacy practices and policy, mandated by
the University and tracked by Human Resources. Study
management also maintains records certifying the completion
of all necessary training.

34

Page 7 of 10

35

Describe training system users receive (above and
beyond general security and privacy awareness
training),

36

Do contracts include Federal Acquisition Regulation
and other appropriate clauses ensuring adherence to
privacy provisions and practices?

37

38

Additional training may be required, depending on the study
and specific study function. As an example, Bloodborne
Pathogens training would be required if blood samples were
to be collected. Based on the current study protocol, required
additional training is not anticipated.
(i' Yes

('·No

Describe the process and gUidelines in place with
regard to the retention and destruction of Plio Cite
specific records retention schedules.

Records are retained and disposed of under the authority of
the NIH Records Control Schedule contained in NIH Manual
Chapter 1743, Appendix 1B "Keeping and Destroying
Records" (HHS Records Management Manual, Appendix 8-361),
item 3000-G-3, which allows records to be kept as long as they
are useful in scientific research. The system falls under the
Privacy Act System of Records Notice 09-25-0200. As this is an
epidemiologic cohort study, there are currently no plans to
destroy the data.

Describe, briefly but with specificity, how the PII will
be secured in the system using administrative,
technical, and physical controls.

Electronic study data are stored on server clusters, hosted at
the University of Minnesota data centers. The Office of
Information Technology (OIT) closely manages and monitors
these centers. Facility access is Iirnited to data center staff,
system administrators, storage engineers, facility support and
janitorial staff. Access controls entail personnel submitting a
formal request to access a data center server room, a security
card to enter the facility, and a center staff signing them in. All
access logs are reviewed monthly and rights annually. Multiple
server monitoring tools (e.g., Qualys, Zabbix, scripts) are
utilized providing real time alerts of any errors, downtime, and
security issues. Network traffic flows are analyzed by the
University Information Security (UIS) department for security
events. The data disaster recovery setup is twofold: data are
replicated off site frequently and backups are created regularly
on a set schedule.

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.

Answer

Reviewer Questions

1

rYes

Are the questions on the PIA answered correctly, accurately, and completely?

rNo
Reviewer
Notes

2

I
I

Reviewer
Notes

rYes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?

Reviewer
Notes.
3

I
r·No

I

Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?

I

r· Yes
r No

I
Page 8 of 10

~'-

''-

'-

AI

()IIPc:tinl

rVes

Does the PIA appropriately describe the PII quality and integrity of the data?

4

rNo

Reviewer I
Notes

I
r·Ves

Is this a candidate for PII minimization?

5

Reviewer
Notes

I

rNo

I
rVes

Does the PIA accurately identify data retention procedures and records retention schedules?

6

C:No

Reviewer I

Notes

I

r·Ves

Are the individuals whose PII is in the system provided appropriate participation?

7

rNo

Reviewer I
Notes

I
rVes

Does the PIA raise any concerns about the security of the PII?

8

rNo

Reviewer
Notes

I

I
rVes

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?

9

Reviewer
Notes
10

I

r·No

I
rVes

Is the PII appropriately limited for use internally and with third parties?

rNo

Reviewer
Notes

I


I

rVes

Does the PIA demonstrate compliance with all Web privacy requirements?

11

Reviewer
Notes
12

I

{'No

I
rVes

Were any changes made to the system because of the completion of this PIA?

rNo

Reviewer
Notes

I
I

~~rl~rdl Comments

Page 9 of 10

Senior Official
Privacy Signature

HHS Senior
Agency Official
for Privacy

Page 10 of 10