Lpf Pia

Attachment 5_LPF PIA (OSOP_HHS approved).pdf

NLM Lost People-Finder System

LPF PIA

OMB: 0925-0612

Document [pdf]

Download: pdf | pdf

06.1 HHS Privacy Impact Assessment
Person Finder (Item)

(Form) /

NIH NLM Lost

PIA SUMMARY
1
The following required questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to the Office
of Management and Budget (OMB) and public posting in accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the system hosts a website, the Website
Hosting Practices section is required to be completed regardless of the presence of personally identifiable information (PII). If no PII is contained in
the system, please answer questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will authorize the PIA.
If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

Summary of PIA Required Questions

*Is this a new PIA?

No
If this is an existing PIA, please provide a reason for revision:

PIA Validation
*1. Date of this Submission:

Aug 14, 2012
*2. OPDIV Name:

NIH
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0200
*5. OMB Information Collection Approval Number:

0925-0612
*6. Other Identifying Number(s):

No
*7. System Name (Align with system item name):

NIH/National Library of Medicine (NLM) Lost Person Finder System (LPF)
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be
addressed:

Point of Contact Information
POC Name

Michael Gill

*10. Provide an overview of the system:

The National Library of Medicine (NLM) Lost Person Finder (LPF) project includes Web-based components that collect data to
facilitate reunification efforts during or after a disaster event. This data is collected as part of NLM’s mission to develop and
coordinate communication technologies to improve delivery of health services. NLM is a member of the Bethesda Hospitals’
Emergency Preparedness Partnership (BHEPP), which was established in 2004 to improve community disaster preparedness and
response among hospitals in Bethesda, Maryland that would likely be called upon to absorb mass causalities in a major disaster in
the National Capital Region or other areas. The BHEPP hospitals include the National Naval Medical Center (NNMC), the National
Institutes of Health Clinic Center (NIH CC), and Suburban Hospital/Johns Hopkins Medicine. With its expertise in communications,
information management, and medical informatics, NLM joined BHEPP to coordinate the R&D program, one of which is
development of a person locator tool to assist in family reunification after a disaster.
*13. Indicate if the system is new or an existing one being modified:

Existing
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted
by this system?
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be
completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” –
i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only
need to complete the PIA Summary tab.)

Yes
17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the
response to Q.17 should be No and only the PIA Summary must be completed.

No
*19. Are records on the system retrieved by 1 or more PII data elements?

Yes
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for
Q.4)

Yes
*23. If the system shares or discloses PII, please specify with whom and for what purpose(s):

Yes. Information is shared with, disclosed or transferred to: (1) BHEPP participating hospitals’ personnel; (2) the general public
via an interactive Web-based system that allows individuals to search for missing family members that may have been recovered
(or found) post-disaster; (3) other people locator systems endorsed by U.S. government agencies to ensure that comprehensive
data is available to users of such systems and to ensure that use of the NLM system in no way interrupts or distracts from the
operation or use of other people locator systems.
*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the
system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the
information contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

The primary uses of the Lost Person Finder project components are to facilitate reunification efforts during or after a disaster.
Subsequently, the NLM will use the data to evaluate the functioning and utility of the LPF components and similar technologies
and guide future enhancements to the system. Collection of this information is authorized pursuant to sections 301, 307, 465, and
478A of the Public Health Service Act [42 U.S.C. 241, 242l, 286, and 286d] which authorizes the HHS Secretary to conduct and
support research. The information collected, maintained and disseminated includes personally identifiable information (or PII) and
is collected on a voluntary basis. Biographical information physical identifying characteristics will be collected, maintained, and
disseminated.
*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major
changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and
obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please
describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]):

(1) There is no process for obtaining consent from individuals whose PII is maintained in the system when major system changes
occur. (2) Information is collected on a voluntary basis. (3) Information is posted on the LPF Web site notifying users about how
their information will be shared.
*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed
regardless of the presence of PII)

Yes
*37. Does the website have any information or pages directed at children under the age of thirteen?

No
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records
Retention and Destruction section in SORN)

Yes
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

PII is secured by NLM’s controlled access computer room (Technical/Physical), Access to system must be requested in writing
from NLM program staff (Administrative).

PIA REQUIRED INFORMATION
1

HHS Privacy Impact Assessment (PIA)

The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of PII, what is done with that information, and
how that information is protected. Systems with PII are subject to an extensive list of requirements based on privacy laws, regulations, and guidance.
The HHS Privacy Act Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act. Respective Operating
Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be
used as a resource for questions related to the administrative, technical, and physical controls of the system. Please note that answers to questions
with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB
Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible.

General Information

*Is this a new PIA?

No
If this is an existing PIA, please provide a reason for revision:

PIA Validation
*1. Date of this Submission:

Aug 14, 2012
*2. OPDIV Name:

NIH
3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the System Inventory form, UPI table):

*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0200
*5. OMB Information Collection Approval Number:

0925-0612
5a. OMB Collection Approval Number Expiration Date:

*6. Other Identifying Number(s):

No
*7. System Name: (Align with system item name)

NIH/National Library of Medicine (NLM) Lost Person Finder System (LPF)
8. System Location: (OPDIV or contractor office building, room, city, and state)

System Location:
OPDIV or contractor office building

Building 38A

Room

Data Center, Room B1W17

City

Bethesda

State

Maryland

*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be
addressed:

Point of Contact Information

POC Name

Michael Gill

The following information will not be made publicly available:

POC Title

Electronics Engineer

POC Organization

National Institutes of Health/National Library of Medicine/Lister
Hill National Center for Biomedical
Communications/Communications Engineering Branch

POC Phone

301-435-3212

POC Email

[email protected]

*10. Provide an overview of the system: (Note: The System Inventory form can provide additional information for child dependencies if the system is
a GSS)

SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION
1

System Characterization and Data Configuration

11. Does HHS own the system?

Yes
11a. If no, identify the system owner:

12. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No)

Yes
12a. If no, identify the system operator:

*13. Indicate if the system is new or an existing one being modified:

Existing
14. Identify the life-cycle phase of this system:

Development/Acquisition
15. Have any of the following major changes occurred to the system since the PIA was last submitted?

Please indicate “Yes” or “No” for each category below:

Yes/No

Conversions

Anonymous to Non-Anonymous

Significant System Management Changes

Significant Merging

New Public Access

Commercial Sources

New Interagency Uses

Internal Flow or Collection

Alteration in Character of Data

16. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or Minor Application (stand-alone)?

Minor Application (stand-alone)
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted
by this system?

Yes
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be
completed and submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” –
i.e., systems that collect PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only
need to complete the PIA Summary tab.)
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate
category of PII.

Categories:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

Yes

Social Security Number (SSN)

Photographic Identifiers

Yes

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Yes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Yes

Web Uniform Resource Locator(s) (URL)

Personal Email Address

Yes

Education Records

Military Status

Employment Status

Foreign Activities

Other

Yes; mass casualty identifier, last seen location

17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the
response to Q.17 should be No and only the PIA Summary must be completed.

No
18. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated and/or passed through. Note: If the
applicable PII category is not listed, please use the Other field to identify the appropriate category of PII. Please answer "Yes" or "No" to each of
these choices (NA in other is not applicable).

Categories:

Yes/No

Employees

Public Citizen

Yes

Patients

Yes

Business partners/contacts (Federal, state, local
agencies)

Vendors/Suppliers/Contractors

Other

Yes, Non-US Citizens are possible.

*19. Are records on the system retrieved by 1 or more PII data elements?

Yes
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate
category of PII.

Categories:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

SSN

Photographic Identifiers

Yes

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Yes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Yes

Web URLs

Personal Email Address

Yes

Education Records

Military Status

Employment Status

Foreign Activities

Other

Yes; mass casualty identifiers, last seen location

20. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?

Yes
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for
Q.4)

Yes
21a. If yes but a SORN has not been created, please provide an explanation.

N/A

INFORMATION SHARING PRACTICES
1

Information Sharing Practices

22. Does the system share or disclose PII with other divisions within this agency, external agencies, or other people or organizations outside the
agency?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

Yes

SSN

Photographic Identifiers

Yes

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Yes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Yes

Web URLs

Personal Email Address

Yes

Education Records

Military Status

Employment Status

Foreign Activities

Other

Yes; mass casualty identifiers, last seen location

*23. If the system shares or discloses PII please specify with whom and for what purpose(s):

data is available to users of such systems and to ensure that use of the NLM system in no way interrupts or distracts from the
operation or use of other people locator systems.
24. If the PII in the system is matched against PII in one or more other computer systems, are computer data matching agreement(s) in place?

Not Applicable
25. Is there a process in place to notify organizations or systems that are dependent upon the PII contained in this system when major changes
occur (i.e., revisions to PII, or when the system is replaced)?

Yes
26. Are individuals notified how their PII is going to be used?

Yes
26a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an explanation.

Information is collected on a voluntary basis. A Privacy Act statement is provided in the LPF project components to notify
individuals about the uses of their PII.
27. Is there a complaint process in place for individuals who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is
inaccurate?

Yes
27a. If yes, please describe briefly the notification process. If no, please provide an explanation.

There is no formal complaint process in place if PII is inappropriately obtained, used, or disclosed; however, a technical support
email address is provided for the LPF project components. The information provided to the LPF Web site may not be moderated,
and NLM and other contributing organizations may not review or verify the accuracy of any information that is submitted to the
LPF Web site.
28. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s integrity, availability, accuracy and
relevancy?

No
28a. If yes, please describe briefly the review process. If no, please provide an explanation.

The information provided to the LPF Web site may not be moderated, and NLM and other contributing organizations may not
review or verify the accuracy of any information that is submitted to the LPF Web site.
29. Are there rules of conduct in place for access to PII on the system?

Yes
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to have access:

Users with access to PII

Yes/No/N/A

Purpose

User

Yes

Search and submit information

Administrators

Yes

Search, edit, and delete information

Developers

Yes

Search and submit information

Contractors

Yes

Search and submit information

Other

Not Applicable

*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the
system ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the
information contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major
changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and
obtain consent from individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please
describe in what format individuals will be given notice of consent [e.g., written notice, electronic notice, etc.])

WEBSITE HOSTING PRACTICES
1

Website Hosting Practices

*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed
regardless of the presence of PII)

Yes

Please indicate “Yes” or “No” for
each type of site below. If the
system hosts both Internet and
Intranet sites, indicate “Yes” for
“Both” only.

Yes/ No

If the system hosts an Internet site,
please enter the site URL. Do not
enter any URL(s) for Intranet sites.

Internet

Yes

http://pl.nlm.nih.gov ;
http://lpfbeta.nlm.nih.gov

Intranet

Yes

Both

Yes

33. Does the system host a website that is accessible by the public and does not meet the exceptions listed in OMB M-03-22?
Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for websites that are accessible to the public,
but provides three exceptions: (1) Websites containing information other than "government information" as defined in OMB Circular A-130; (2)
Agency intranet websites that are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees); and (3)
National security systems defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the EGovernment Act.).

Yes
34. If the website does not meet one or more of the exceptions described in Q. 33 (i.e., response to Q. 33 is "Yes"), a website privacy policy
statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) is required. Has a website privacy policy been posted?

Yes
35. If a website privacy policy is required (i.e., response to Q. 34 is “Yes”), is the privacy policy in machine-readable format, such as Platform for
Privacy Preferences (P3P)?

Yes
35a. If no, please indicate when the website will be P3P compliant:

36. Does the website employ tracking technologies?

Yes

Please indicate “Yes”, “No”, or “N/A” for each type of
cookie below:

Yes/No/N/A

Web Bugs

Web Beacons

Session Cookies

Yes

Persistent Cookies

Other

*37. Does the website have any information or pages directed at children under the age of thirteen?

37a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any
information is collected?

N/A
38. Does the website collect PII from individuals?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

Yes

SSN

Photographic Identifiers

Yes

Driver's License

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Yes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Yes

Web URLs

Personal Email Address

Yes

Education Records

Military Status

Employment Status

Foreign Activities

Other

Yes; mass casualty identifier, last seen location

39. Are rules of conduct in place for access to PII on the website?

Yes
40. Does the website contain links to sites external to HHS that owns and/or operates the system?

Yes
40a. If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by HHS.

Yes a disclaimer notice exists.

ADMINISTRATIVE CONTROLS
1

Administrative Controls

Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several
Federal laws when referencing security requirements.
41. Has the system been certified and accredited (C&A)?

No
41a. If yes, please indicate when the C&A was completed:

41b. If a system requires a C&A and no C&A was completed, is a C&A in progress?

No
42. Is there a system security plan for this system?

No
43. Is there a contingency (or backup) plan for the system?

No
44. Are files backed up regularly?

No
45. Are backup files stored offsite?

No
46. Are there user manuals for the system?

No
47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of
their responsibilities for protecting the information being collected and maintained?

Yes
48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices?

Yes
49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?

Yes
49a. If yes, please specify method(s):

(1) SecureID for authentication to privilidge users (2) Login w/ least privilidges permitted and escalation as needed (3) Eventsys
used to keep copies of all logs and events on a separate system
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records
Retention and Destruction section in SORN):

Yes
50a. If yes, please provide some detail about these policies/practices:

Statement in SORN 09-25-0200: Clinical, Basic and Population-based Research Studies of the National Institutes of Health (NIH),
HHS/NIH/OD, regarding retention and disposal.
“Records are retained and disposed of under the authority of the NIH Records Control Schedule contained in NIH Manual Chapter
1743, Appendix 1B "Keeping and Destroying Records" (HHS Records Management Manual, Appendix B-361), item 3000-G-3,
which allows records to be kept as long as they are useful in scientific research. Collaborative Perinatal Project records are
retained in accordance with item 3000-G-4, which does not allow records to be destroyed. Refer to the NIH Manual Chapter for
specific conditions on disposal or retention instructions.”

TECHNICAL CONTROLS
1

Technical Controls

51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

User Identification

Yes

Passwords

Yes

Firewall

Yes

Virtual Private Network (VPN)

Encryption

Intrusion Detection System (IDS)

Yes

Common Access Cards (CAC)

Smart Cards

Biometrics

Public Key Infrastructure (PKI)

Yes

52. Is there a process in place to monitor and respond to privacy and/or security incidents?

Yes
52a. If yes, please briefly describe the process:

(1) Monitoring done by NLM/OCCS IDS systems (2) NLM/ISSO responsible for assigning response to incidents.

PHYSICAL ACCESS
1

Physical Access

53. Are physical access controls in place?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

Guards

Yes

Identification Badges

Yes

Key Cards

Yes

Cipher Locks

Biometrics

Yes

Closed Circuit TV (CCTV)

Yes

*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

PII is secured by NLM’s controlled access computer room (Technical/Physical), Access to system must be requested in writing
from NLM program staff (Administrative).

APPROVAL/DEMOTION
1

System Information

System Name:

NIH/National Library of Medicine (NLM) Lost Person Finder System (LPF)

PIA Reviewer Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:
Approval/Demotion Point
of Contact:

Dar-Ning Kung

Date:

Aug 14, 2012

Senior Official for Privacy Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:

OPDIV Senior Official for Privacy or Designee Approval

Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been
collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has
endorsed it
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date):
Name: __________________________________ Date: ________________________________________

Name:
Date:

Department Approval to Publish to the Web

Approved for web publishing
Date Published:
Publicly posted PIA URL or no PIA URL explanation:

Karen Plá
Sep 28, 2012

PIA % COMPLETE
1

PIA Completion

PIA Percentage Complete: 100.00
PIA Missing Fields:

File Type	application/pdf
Author	NLM01792342TEST
File Modified	2016-03-31
File Created	2016-03-31