Download:
pdf |
pdfPrivacy and Civil Liberties Impact Assessment
(PCLIA)
Privacy and Civil Liberties Impact Assessment
for the
Family Self-Sufficiency (FSS) Program Demonstration
<< Publication Date>>
Reviewing Official
Helen Goff Foster
Chief Privacy Officer
Department of Housing and Urban Development
United States Department of Housing and Urban Development
November 20, 2017
[THIS PAGE MUST BE REMOVED PRIOR TO PUBLICATION]
Certifying Official
Helen Goff Foster
Chief Privacy Officer
Department of Housing and Urban Development
(202) 402-5581
System Owner
Regina C. Gray
Social Science Analyst and Contracting Officer’s Technical Representative
Affordable Housing Research and Technology Division
Office of Policy Development and Research
Department of Housing and Urban Development
202-402-2876
OCIO/Information Security Contact Consulted in Drafting the PCLIA
Tracy Bigesby
Office of the Chief Information Officer, HUD
Chief Information Security Office
202-619-9057, ext. 3616
Paperwork Reduction Act Contact Consulted in Drafting the PCLIA
<< Name >>
<< Program/Agency/Office>>
<< Departmental Office>>
<< Contact Phone>>
Records Management Contact Consulted in Drafting the PCLIA
Marcus Smallwood
Office of Administration, HUD
Director, Executive Secretariat Division
202-402-5581
Section 508 Coordinator Contact Consulted in Drafting the PCLIA
Peter J. Reed
Office of the Chief Information Officer, HUD
Director, Customer Services Division
202-402-6391
Other Department Reviewer:
Ronald Hill
Office of Policy Development and Research, HUD
Program Evaluation Division
202-402-7073
United States Department of Housing and Urban Development
November 20, 2017
2
Table of Contents
Section 1: Introduction .................................................................................................................... 4
Section 2: Definitions ..................................................................................................................... 5
Section 3: System Overview ........................................................................................................... 9
Section 4: Information Collection ................................................................................................... 9
Section 5: Maintenance, use, and sharing of the information ....................................................... 20
Section 6: Compliance with federal information management requirements ............................... 32
Section 7: Redress ......................................................................................................................... 36
United States Department of Housing and Urban Development
November 20, 2017
3
Section 1: Introduction
It is the policy of the Department of Housing and Urban Development (“HUD” or “Department”)
to conduct a Privacy Impact Assessment (“PCLIA”) when personally identifiable information
(“PII”) is maintained in a system or by a project. PCLIAs are required for all systems and
projects that collect, maintain, or disseminate PII, regardless of the way the information is
retrieved.
This assessment is being completed pursuant to Section 208 of the E-Government Act of 2002
(“E-Gov Act”), 44 U.S.C. § 3501, Office of the Management and Budget (“OMB”)
Memorandum 03-22, “OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002,” and “Privacy Impact Assessment (PCLIA),” which requires HUD to
conduct a PCLIA before:
1. Developing or procuring information technology (“IT”) systems or projects that collect,
maintain or disseminate PII from or about members of the public, or
2. Initiating a new collection of information that: a) will be collected, maintained, or
disseminated using IT; and b) includes any PII permitting the physical or online
contacting of a specific individual, if identical questions have been posed to, or identical
reporting requirements imposed on, 10 or more persons. Agencies, instrumentalities, or
employees of the federal government are not included.
This PCLIA provides the following information regarding the system or project:
(1) an overview of its purpose and functions;
(2) a description of the information collected;
(3) a description of how the information is maintained, used, and shared;
(4) an assessment of whether the system or project is in compliance with federal
requirements that support information privacy; and
(5) an overview of the redress/complaint procedures available to individuals who may be
affected by the use or sharing of information by the system or project.
This is the first time a PCLIA is being completed for the Family Self-Sufficiency (FSS)
Program Demonstration.
United States Department of Housing and Urban Development
November 20, 2017
4
Section 2: Definitions
Agency – means any entity that falls within the definition of the term “executive agency” as
defined in 31 U.S.C. § 102.
Certifying Official – The Chief Privacy Officer who reviews and approves all PCLIAs as part of
her/his duties as a direct report to Housing and Urban Development Senior Agency Official for
Privacy.
Collect (including “collection”) – means the retrieval, receipt, gathering, or acquisition of any
PII and its storage or presence in a HUD system. This term should be given its broadest possible
meaning.
Contractors and service providers – are private companies that provide goods or services
under a contract with the Department of Housing and Urban Development or one of its bureaus.
This includes, but is not limited to, information providers, information processors, and other
organizations providing information system development, information technology services, and
other outsourced applications.
Data mining – means a program involving pattern-based queries, searches, or other analyses of
1 or more electronic databases, where – (a) a department or agency of the federal government,
or a non-federal entity acting on behalf of the federal government, is conducting the queries,
searches, or other analyses to discover or locate a predictive pattern or anomaly indicative of
terrorist or criminal activity on the part of any individual or individuals; (b) the queries, searches,
or other analyses are not subject-based and do not use personal identifiers of a specific
individual, or inputs associated with a specific individual or group of individuals, to retrieve
information from the database or databases; and (c) the purpose of the queries, searches, or other
analyses is not solely – (i) the detection of fraud, waste, or abuse in a government agency or
program; or (ii) the security of a government computer system.
Disclosure – When it is clear from its usage that the term “disclosure” refers to records provided
to the public in response to a request under the Freedom of Information Act (5 U.S.C. § 552,
“FOIA”) or the Privacy Act (5 U.S.C. § 552a), its application should be limited in that manner.
Otherwise, the term should be interpreted as synonymous with the terms “sharing” and
“dissemination” as defined in this manual.
Dissemination – as used in this manual, is synonymous with the terms “sharing” and
“disclosure” (unless it is clear from the context that the use of the term “disclosure” refers to a
FOIA/Privacy Act disclosure).
E-Government – means the use of digital technologies to transform government operations to
improve effectiveness, efficiency, and service delivery.
Federal information system – means a discrete set of information resources organized for the
collection, processing, maintenance, transmission, and dissemination of information owned or
under the control of a federal agency, whether automated or manual.
United States Department of Housing and Urban Development
November 20, 2017
5
Final Rule – After the NPRM comment period closes, the agency reviews and analyzes the
comments received (if any). The agency has the option to proceed with the rulemaking as
proposed, issue a new or modified proposal, or withdraw the proposal before reaching its final
decision. The agency can also revise the supporting analyses contained in the NPRM (e.g., to
address a concern raised by a member of the public in response to the NPRM).
Government information – means information created, collected, used, maintained, processed,
disseminated, or disposed of by or for the federal government.
Individual – means a citizen of the United States or an alien lawfully admitted for permanent
residence. If a question does not specifically inquire about or an issue does not clearly involve a
Privacy Act system of records, the term should be given its common, everyday meaning. In
certain contexts, the term individual may also include citizens of other countries who are covered
by the terms of an international or other agreement that involves information stored in the system
or used by the project.
Information – means any representation of knowledge such as facts, data, or opinions in any
medium or form, regardless of its physical form or characteristics. This term should be given the
broadest possible meaning. This term includes, but is not limit to, information contained in a
Privacy Act system of records.
Information technology (IT) – means any equipment or interconnected system or subsystem of
equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange, transmission, or reception of
data or information by the executive agency, if the equipment is used by the executive agency
directly or is used by a contractor under a contract with the executive agency that requires the
use: (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a
service or the furnishing of a product. It includes computers, ancillary equipment (including
imaging peripherals, input, output, and storage devices necessary for security and surveillance),
peripheral equipment designed to be controlled by the central processing unit of a computer,
software, firmware and similar procedures, services (including support services), and related
resources; but does not include any equipment acquired by a federal contractor incidental to a
federal contract. Clinger-Cohen Act of 1996, 40 U.S.C. § 11101(6).
Major Information system – embraces “large” and “sensitive” information systems and means
“a system or project that requires special management attention because of its importance to an
agency mission; its high development, operating, or maintenance costs; or its significant role in
the administration of agency programs, finances, property, or other resources.” OMB Circular A130, § 6.u. This definition includes all systems that contain PII and are rated as “MODERATE
or HIGH impact” under Federal Information Processing Standard 199.
National Security systems – a telecommunications or information system operated by the
federal government, the function, operation or use of which involves: (1) intelligence activities,
(2) cryptologic activities related to national security, (3) command and control of military forces,
(4) equipment that is an integral part of a weapon or weapons systems, or (5) systems critical to
United States Department of Housing and Urban Development
November 20, 2017
6
the direct fulfillment of military or intelligence missions, but does not include systems used for
routine administrative and business applications, such as payroll, finance, logistics, and
personnel management. Clinger-Cohen Act of 1996, 40 U.S.C. § 11103.
Notice of Proposed Rule Making (NPRM) – the Privacy Act (Section (J) and (k)) allow
agencies to use the rulemaking process to exempt particular systems of records from some of the
requirements in the Act. This process is often referred to as “notice-and-comment rulemaking.”
The agency publishes an NPRM to notify the public that the agency is proposing a rule and
provides an opportunity for the public to comment on the proposal before the agency can issue a
final rule.
Personally Identifiable Information (PII) –any information that can be used to distinguish or
trace an individual’s identity, either alone or when combined with other personal or identifying
information that is linked or linkable to a specific individual.
Privacy and Civil Liberties Impact Assessment (PCLIA) – a PCLIA is:
(1) a process conducted to: (a) identify privacy and civil liberties risks in systems,
programs, and other activities that maintain PII; (b) ensure that information systems,
programs, and other activities comply with legal, regulatory, and policy requirements;
(c) analyze the privacy and civil liberties risks identified; (d) identify remedies,
protections, and alternative or additional privacy controls necessary to mitigate those
risks; and (e) provide notice to the public of privacy and civil liberties protection
practices.
(2) a document that catalogues the outcome of that privacy and civil liberties risk
assessment process.
Protected Information – as the term is used in this PCLIA, has the same definition given to that
term in TD 25-10, Section 4.
Privacy Act Record – any item, collection, or grouping of information about an individual that
is maintained by an agency, including, but not limited to, the individual’s education, financial
transactions, medical history, and criminal or employment history and that contains the
individual’s name, or the identifying number, symbol, or other identifying particular assigned to
the individual, such as a finger or voice print or a photograph. 5 U.S.C. § 552a (a)(4).
Routine Use – with respect to the disclosure of a record outside of HUD (i.e., external sharing),
the sharing of such record for a purpose which is compatible with the purpose for which it was
collected 5 U.S.C. § 552a(a)(7).
Sharing – any HUD initiated distribution of information to government employees or agency
contractors or grantees, including intra- or inter-agency transfers or exchanges of HUD
information, regardless of whether it is covered by the Privacy Act. It does not include responses
to requests for agency records under FOIA or the Privacy Act. It is synonymous with the term
“dissemination” as used in this assessment. It is also synonymous with the term “disclosure” as
used in this assessment unless it is clear from the context in which the term is used that it refers
United States Department of Housing and Urban Development
November 20, 2017
7
to disclosure to the public in response to a request for agency records under FOIA or the Privacy
Act.
System – as the term used in this manual, includes both federal information systems and
information technology.
System of Records – a group of any records under the control of HUD from which information
is retrieved by the name of the individual or by some identifying number, symbol, or other
identifying particular assigned to the individual. 5 U.S.C. § 552a (a)(5).
System of Records Notice (SORN) – Each agency that maintains a system of records shall
publish in the Federal Register upon establishment or revision a notice of the existence and
character of the system of records, which notice shall include: (A) the name and location of the
system; (B) the categories of individuals on whom records are maintained in the system; (C) the
categories of records maintained in the system; (D) each routine use of the records contained in
the system, including the categories of users and the purpose of such use; (E) the policies and
practices of the agency regarding storage, retrievability, access controls, retention, and disposal
of the records; (F) the title and business address of the agency official who is responsible for the
system of records; (G) the agency procedures whereby an individual can be notified at her/his
request if the system of records contains a record pertaining to him; (H) the agency procedures
whereby an individual can be notified at her/his request how she/he can gain access to any record
pertaining to him contained in the system of records, and how she/he can contest its content; and
(I) the categories of sources of records in the system. 5 U.S.C. § 552a (e)(4).
System Owner – Official responsible for the overall procurement, development, integration,
modification, or operation and maintenance of a system.
United States Department of Housing and Urban Development
November 20, 2017
8
Section 3: System Overview
Section 3.1: System/Project Description and Purpose
In March 2012, HUD awarded the National Family Self-Sufficiency Evaluation to MDRC. The primary
goal of the Family Self-Sufficiency evaluation is to increase our knowledge about the effectiveness of
FSS, which is aimed at helping housing-assisted populations secure and maintain employment and gain
independence from public support programs. The implementation research will allow the research team
to learn about the delivery of FSS services and how different service delivery practices may influence
participation and program effectiveness. Information collected from staff will include data about staffing,
program policies and approaches, case management practices, the goal-setting process, Program
Coordinating Committees’ involvement in service delivery, and program costs, among other topics.
Information collected from participants will include motivation for joining FSS, selection of goals and
progress toward goals, views about the escrow component, relationship with case managers, and
reflections on their experience with the program in general. This type of information is only available
through field research visits and interviews with staff and participants and cannot be obtained through
administrative records or surveys. The MDRC research team has prepared an information
collection to meet the contractual requirements that includes a survey of FSS Supervisors, FSS
Case Managers, FSS Coordinators and site visits to active FSS participants where they will be
interviewed to understand how the program is working for them.
Estimated Number of Individuals Whose Personally Identifiable Information is
Maintained in the System or by the Project
☒ 1000 – 9,999
☐ 10,000 – 99,999
☐ 0 – 999
☐ 100,000 – 499,999
☐ 500,000 – 999,999
☐ 1,000,000+
Section 3.2: Authority to Collect
The authorities for operating this system or performing this project are:
12 U.S.C. §1701z-1 established PD&R and its authority to conduct research. 12 U.S.C. 1701z-2(g)
Information and data, gives PD&R the authority to request personal information from people. HUD
promises confidentiality as stated in the Privacy Act of 1974 (5 U.S.C. 552a), Records Maintained on
Individuals, and obtains consent from individual study participants as part of the enrollment in the
study. The findings from the study will be publicly reported only at the aggregate level; neither
individual service coordinators nor focus group participants will be identified in the study reports.
Section 4: Information Collection
United States Department of Housing and Urban Development
November 20, 2017
9
Section 4.1: Relevant and Necessary
The Privacy Act requires “each agency that maintains a system of records [to] maintain in its
records only such information about an individual as is relevant and necessary to accomplish a
purpose of the agency required to be fulfilled by statute or by executive order of the President.” 5
U.S.C. § 552a (e)(1). It allows federal agencies to exempt records from certain requirements
(including the relevant and necessary requirement) under certain conditions U.S.C. §552a (k).
The proposed exemption must be described in a Notice of Proposed Rulemaking (“NPRM”). In
the context of the Privacy Act, the purpose of the NPRM is to give the public notice of a Privacy
Act exemption claimed for a system of records and solicit public opinion on the proposed
exemption. After addressing any public concerns raised in response to the NPRM, the agency
must issue a Final Rule. It is possible for some, but not all, of the records maintained in the
system or by the project to be exempted from the Privacy Act through the NPRM/Final Rule
process.
Section 4.1(a) Please check all of the following that are true:
1. ☐ None of the PII maintained in the system or by the project is part of a Privacy Act system of
records;
2. ☐ All of the PII maintained in the system or by the project is part of a system of records and none
of it is exempt from the Privacy Act relevant and necessary requirement;
3. ☒ All of the PII maintained in the system or by the project is part of a system of records and all of
it is exempt from the Privacy Act relevant and necessary requirement;
4. ☐ Some, but not all, of the PII maintained in the system or by the project is part of a system of
records and the records to which the Privacy Act applies are exempt from the relevant and
necessary requirement; and
5. ☐ Some, but not all, of the PII maintained in the system or by the project is part of a system of
records and none of the records to which the Privacy Act applies are exempt from the relevant
and necessary requirement.Section 502 (g) of the Housing and Urban Development Act of
1970 (Public Law 91609) (12 U.S.C. 1701z-1; 1701z-2(d) and (g)).
Section 4.1(b) ☐ Yes ☐ No ☒ N/A With respect to PII maintained in the system or by the project
that is subject to the Privacy Act’s relevant and necessary requirement, was an assessment conducted
prior to collection (e.g., during Paperwork Reduction Act analysis) to determine which PII types (see
Section 4.2 below) were relevant and necessary to meet the system’s or project’s mission
requirements?
Section 4.1(c) ☐ Yes ☐ No ☒ N/A With respect to PII currently maintained in the system or by the
project that is subject to the Privacy Act’s relevant and necessary requirement, is the PII limited to
only that which is relevant and necessary to meet the system’s or project’s mission requirements?
United States Department of Housing and Urban Development
November 20, 2017
10
Section 4.1(d) ☐ Yes ☐ No ☒ N/A With respect to PII maintained in the system or by the project
that is subject to the Privacy Act’s relevant and necessary requirement, is there a process to
continuously reevaluate and ensure that the PII remains relevant and necessary?
No exemption to the Privacy Act is claimed.
United States Department of Housing and Urban Development
November 20, 2017
11
Section 4.2: PII and/or information types or groupings
To perform their various missions, federal agencies must necessarily collect various types of
information. The checked boxes below represent the types of information maintained in the
system or by the project. Information identified below is used by the system or project to fulfill
the purpose stated in Section 3.2 – Authority to Collect.
Biographical/General Information
☒ Personal Cell Number
☐ Business Cell Number
☐ Group/Organization Membership
☐ Military Service Information
☒ Personal Home Phone or Fax
Number
☐ Alias (including nickname)
☒ Business Phone or Fax Number
☐ Nationality
☐ Country of Birth
☐ City or County of Birth
☐ Mother’s Maiden Name
☐ Spouse Information
☐ Children Information
☐ Immigration Status
☐ Information about other
relatives.
☐ Citizenship
☐ Professional/personal references
or other information about an
individual’s friends, associates or
acquaintances.
☐ Global Positioning System
(GPS)/Location Data
☒ Name
☒ Date of Birth
☒ Home Physical/Postal
Mailing Address
☐ Zip Code
☐ Business Physical/Postal
Mailing Address
☒ Personal e-mail address
☐ Business e-mail address
☒ Personal Financial
Information (including loan
information)
☐ Business Financial
Information (including loan
information)
☒ Marital Status
☒ Gender
☒ Race
☒ Ethnicity
☐ Religion/Religious
Preference
☐ Device settings or preferences
(e.g., security level, sharing
options, ringtones).
☐ User names, avatars etc.
☐ Sexual Orientation
☐ Cell tower records (e.g., logs.
user location, time etc.)
☐ Contact lists and directories
(known to contain personal
information)
☒ Education Information
☐ Network communications data
☐ Secure Digital (SD) Card or
Other Data stored on a card or other
technology
☐ Cubicle or office number
☐ Contact lists and directories
(not known to contain personal
information, but uncertain)
☐ Resume or curriculum vitae
☐ Contact lists and directories
(known to contain only business
information)
☐ Other (please describe):
☐ ☒ Other (please describe):
PHA Household ID Number
☐ Other (please describe):
☒ Other (please describe):
Birth year, job title, years of work
experience, professional
certifications, range of total
compensation
______________________
United States Department of Housing and Urban Development
November 20, 2017
12
Identifying Numbers
☒ Full Social Security number
☐ Truncated/Partial Social Security number (e.g.,
last 4 digits)
☐ Personal Taxpayer Identification Number
☐ Personal Credit Card Number
☐ Health Plan Beneficiary Number
☐ Alien Registration Number
☐ Business Taxpayer Identification Number (If
known: ☐ sole proprietor; ☐ non-sole proprietor)
☐ Business Credit Card Number (If known: ☐ sole
proprietor; ☐ non-sole proprietor)
☐ Business Vehicle Identification Number (If
known: ☐ sole proprietor; ☐ non-sole proprietor)
☐ Business License Plate Number (If known: ☐
sole proprietor; ☐ non-sole proprietor)
☐ File/Case ID Number (business) (If known: ☐
sole proprietor; ☐ non-sole proprietor)
☐ Business Professional License Number (If
known: ☐ sole proprietor; ☐ non-sole proprietor)
☐ Patient ID Number
☐ Personal Bank Account Number
☐ Government obtained internet
navigation/purchasing habits of individuals
☐ Driver’s License Number
☐ Personal Vehicle Identification Number
☐ Personal License Plate Number
☐ File/Case ID Number (individual)
☐ Personal Professional License Number
☐ Employee Identification Number
☐ Business Bank Account Number
☐ Commercially obtained internet
navigation/purchasing habits of individuals
☐ Business License Plate Number (non-soleproprietor)
☐ Personal device identifiers or serial numbers,
☐ Other Identifying Numbers (please describe):
☐ Passport Number and Passport information
(including full name, passport number, DOB, POB,
sex, nationality, issuing country photograph and
signature) (use “Other” if some but not all elements
are collected)
☐ Other Identifying Numbers (please describe):
Medical/Emergency Information Regarding Individuals
☐ Medical/Health Information
☐ Mental Health Information
☐ Worker’s Compensation Act
Information
☐ Disability Information
☐ Patient ID Number
☐ Emergency Contact Information
(e.g., a third party to contact in case
of emergency)
☐ Other (please describe):
United States Department of Housing and Urban Development
November 20, 2017
13
Biometrics/Distinguishing Features/Characteristics of Individuals
☐ Physical description/
characteristics (e.g., hair, eye
color, weight, height, sex, gender
etc.)
☐ Fingerprints
☐ Palm prints
☐ Voice audio recording
☐ Other (please describe):
☐ Signatures
☐ Vascular scans
☐
☐
☐
☐
☐
☐
☐
☐
Photos
Video
Scars, marks, tattoos
Other (please describe):
Retina/Iris Scans
Dental Profile
DNA Sample or Profile
Other (please describe):
Specific Information/File Types
☐ Taxpayer Information/Tax
Return Information
☐ Civil/Criminal History
Information/Police Records
(government source)
☐ Civil/Criminal History
Information/Police Records
(commercial source)
☐ Protected Information (as
defined in HUD Directive 25-10)
☐ Information provided under a
confidentiality agreement
☐ Law Enforcement Information
☐ Credit History Information
(government source)
☐ Security Clearance/Background
Check Information
☐ Bank Secrecy Act Information
☐ Credit History Information
(commercial source)
☐ National Security/Classified
Information
☐ Case files
☐ Personnel Files
☐ Information subject to the
terms of an international or other
agreement
☐ Other (please describe):
______________________
Audit Log and Security Monitoring Information
☐ User ID assigned to or
generated by a user of HUD IT
☐ Passwords generated by or
assigned to a user of HUD IT
☐ Biometric information used to
access HUD facilities or IT
☐ Information revealing an
individual’s presence in a
particular location as derived from
security token/key fob, employee
identification card scanners or
other IT or devices
☐ Other (please describe):
☐ Date and time an individual
accesses a facility, system, or
another IT
☐ Internet or other queries run
by a user of HUD IT
☐ Video of individuals derived
from security cameras
☐ Still photos of individuals
derived from security cameras.
☐ Files accessed by a user of HUD
IT (e.g., web navigation habits)
☐ Other (please describe):
☐ Other (please describe):
☐ Contents of files accessed by a
user of HUD IT
☐ Public Key Information (PKI).
☒ Internet Protocol (IP) Address
United States Department of Housing and Urban Development
November 20, 2017
14
Other
☐ Other (please describe:
☐ Other (please describe:
☐ Other (please describe:
☐ Other (please describe:
Section 4.3: Sources of information and the method and manner of collection
Service Coordinators
Focus Group Participants
Specific PII identified in Section 4.2 that was acquired from
this source:
Specific PII identified in Section 4.2
that was acquired from this source:
Site Visit Interviews
Full names and business email addresses of FSS coordinators
for the purpose of contacting the service coordinators to
conduct the interviews. Supervisor and Case Manager full
names, business email addresses, for the purpose of
contacting for interviews.
Full names
Phone or mobile phone numbers for
the purpose of scheduling the
interviews.
FSS Participant Survey:
Race, ethnicity, gender, marital status, birth date, level of
education, years of work experience, home address; public
assistance case number; public assistance PersonID number,
Unemployment Insurance Wage state or federal level;
Federal employee ID Numbers,
Manner in which information is acquired from source by
Housing and Urban Development project/system: (select all
that apply):
Manner in which information is
acquired from source by Housing and
Urban Development project/system:
(select all that apply):
☒ From a paper or electronic form provided to individuals,
the public or members of a particular group
☒ From a paper or electronic form
provided to individuals, the public or
members of a particular group
HUD contract with MDRC, OMB Control #2528-0296,
Informed Consent language
HUD contract with MDRC, OMB
Control #2528-0296, Informed
Consent language
☐ Received in paper format other than a form.
☐ Received in paper format other
than a form.
United States Department of Housing and Urban Development
November 20, 2017
15
☐ Delivered to the project on disk or other portable device
and uploaded to the system.
☐ Delivered to the project on disk or
other portable device and uploaded to
the system.
☐ Accessed and downloaded or otherwise acquired via the
internet
☐ Accessed and downloaded or
otherwise acquired via the internet
☒ Email
☐ Email
☐ Scanned documents uploaded to the system.
☐ Scanned documents uploaded to
the system.
☐ Bulk transfer
☐ Bulk transfer
☐ Extracted from particular technology (e.g., radio
frequency identification data (RFID) devices, video or
photographic cameras, biometric collection devices).
☐ Extracted from particular
technology (e.g., radio frequency
identification data (RFID) devices,
video or photographic cameras,
biometric collection devices).
☐ Fax
☐ Fax
☒ Extracted from notes of a phone interview or face to face
contact
☒ Extracted from notes of a phone
interview or face to face contact
☐ Other: Please describe:
☐ Other: Please describe:
☐ Other: Please describe:
☐ Other: Please describe:
United States Department of Housing and Urban Development
November 20, 2017
16
Section 4.4: Privacy and/or civil liberties risks related to collection
Notice of Authority, Principal Uses, Routine Uses, and Effect of not Providing
Information
When Federal agencies use a form to obtain information from an individual that will be
maintained in a system of records, they must inform the individual of the following: “(A) the
authority (whether granted by statute, or by executive order of the President) which authorizes
the solicitation of the information and whether disclosure of such information is mandatory or
voluntary; (B) the principal purpose or purposes for which the information is intended to be
used; (C) the routine uses which may be made of the information as published pursuant to
paragraph (4)(D) of this subsection; and (D) the effects on her/him, if any, of not providing all or
any part of the requested information.” 5 U.S.C § 522a(e)(3).
Section 4.4(a) ☒ Yes ☐ No Is any of the PII maintained in the system or by the project collected
directly from an individual? Section 4.4(b) ☒ Yes ☐ No ☐ N/A Was the information collected from
the individual using a form (paper or electronic)?
Section 4.4(c) ☒ Yes ☐ No ☐ N/A If the answer to Section 4.4(b) was “yes,” was the individual
notified (on the form in which the PII was collected or on a separate form that can be retained by the
individual) about the following at the point where the information was collected (e.g., in a form; on a
website).
☒ The authority (whether granted by statute, or by Executive order of the President) which
authorizes the solicitation of the information.
☒ Whether disclosure of such information is mandatory or voluntary.
☒ The principal purpose or purposes for which the information is intended to be used.
☒ The individuals or organizations outside of HUD with whom the information may be/ will
be shared.
☒ The effects on the individual, if any, if they decide not to provide all or any part of the
requested information.
Authority to offer confidentiality is made on the basis of:
a) Section 3(b) of the Department of Housing and Urban Development Act, as amended, 42 U.S.C.
3532, authorizes the Secretary to “conduct continuing comprehensive studies, and make
available findings, with respect to the problems of housing and urban development.”
b)Section 7(r)(1) of the Department of Housing and Urban Development Act, as amended, 42 U.S.C.
3535, provides that appropriated funds “shall be available to the Secretary for evaluating and
monitoring of all such programs . . . and collecting and maintaining data for such purposes.”
Subsection (r)(4)(a) of the act further provides that the Secretary “may provide for evaluation and
United States Department of Housing and Urban Development
November 20, 2017
17
monitoring under this subsection and collecting and maintaining data for such purposes directly
or by grants, contracts, or interagency agreements.”
c) Section 502(g) of title V of the Housing and Urban Development Act of 1970, as amended, 12 USC
1701z-2 (g), authorizes the Secretary “to request and receive such information or data as he
deems appropriate from private individuals and organizations, and from public agencies.” It
further provides that “[a]ny such information or data shall be used only for the purposes for
which it is supplied, and no publication shall be made by the Secretary whereby the information
or data furnished by any particular person or establishment can be identified, except with the
consent of such person or establishment.
Before beginning all surveys, respondents will be provided an explanation of the purpose of the
evaluation and how their responses will be used. Participants in the survey will be promised that
their individual responses will be confidential and will be reported only in the aggregate, and they will
be asked to affirm their consent per IRB guidelines for human subject research.
The survey research instruments will be reviewed and approved by the MDRC’s internal Institutional
Review Board prior to initiating any research, which operates according to the Common Rule on the
Protection of Human Subjects found in Title 45 of the Code of Federal Regulations, Part 46 (45 CFR
46).
Interview respondents will be asked to provide their informed consent per IRB guidelines for human
subject research, with appropriate confidentiality guaranteed that their comments will only be
summarized in aggregate and/or the specific details masked/changed to protect their identity, and
will not affect their access to future Family Self-Sufficiency Program funding.
MDRC’s research plans for the site visits will be subject to federal human subject review standards to
protect the confidentiality of all research subjects, including all persons interviewed. The site visit
research protocols will be reviewed and approved by the MDRC’s Institutional Review Board prior to
initiating any research. The interview protocols will receive a higher level of scrutiny through a Full
Review by the Board due to the inclusion of economically disadvantaged individuals to ensure their
rights as human subjects are protected. All raw and summarized data will be securely stored
according to HUD protocol, including proper password-protection and encryption as required for files
containing personally identifiable information.
Use of Social Security Numbers
Social Security numbers (“SSN”) are commonly used by identity thieves to commit fraudulent
acts against individuals. The SSN is one data element that has the ability to harm the individual
and requires more protection when used. Therefore, and to reduce risk to individuals and federal
agencies, OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally
Identifiable Information, (January 3, 2017) required agencies to reduce the use of SSNs in
agency systems and programs and to identify instances in which the collection is superfluous. In
addition, OMB mandated agencies to explore alternatives to agency use of SSNs as personal
identifiers for Federal employees and members of the public.
In addition, the Privacy Act provides that: “It shall be unlawful for any Federal, State or local
government agency to deny to any individual any right, benefit, or privilege provided by law
United States Department of Housing and Urban Development
November 20, 2017
18
because of such individual’s refusal to disclose his social security account number.” Pub. L. No.
93–579, § 7. This provision does not apply to: (1) any disclosure which is required by federal
statute; or (2) any disclosure of an SSN to any federal, state, or local agency maintaining a
system of records in existence and operating before January 1, 1975, if such disclosure was
required under statute or regulation adopted prior to such date to verify the identity of an
individual. Id. at § 7(a)(2)(A)-(B).
Section 4.4(d) ☒ Yes ☐ No ☐ N/A Does the system or project maintain SSNs?
Section 4.4(e) ☐ Yes ☒ No ☐ N/A Are there any alternatives to the SSNs as a personal identifier? If
yes, please provide a narrative explaining why other alternatives to identify individuals will not be
used.
Section 4.4(f) ☐ Yes ☒ No ☐ N/A Will individuals be denied any right, benefit, or privilege provided
by law because of such individual's refusal to disclose their SSN? If yes, please check the applicable
box:
☐ SSN disclosure is required by Federal statute or Executive Order. ; or
☐ the SSN is disclosed to any Federal, state, or local agency maintaining a system of records
in existence and operating before January 1, 1975, and disclosure was required under statute
or regulation adopted prior to such date to verify the identity of an individual. If checked,
please provide the name of the system of records in the space provided below.;
Section 4.4 (g) ☒ Yes ☐ No ☐ N/A ☐ When the SSN is collected, are individuals given notice
whether disclosure is mandatory or voluntary, the legal authority such number is solicited, and what
uses will be made of it? If yes, please explain what means are used to provide notice.
SSNs are being collected.
First Amendment Activities
The Privacy Act provides that Federal agencies “maintain no record describing how any
individual exercises rights guaranteed by the First Amendment unless expressly authorized by
statute or by the individual about whom the record is maintained or unless pertinent to and within
the scope of an authorized law enforcement activity.” 5 U.S.C. § 552a(e)(7).
Section 4.4(h) ☐ Yes ☒ No Does the system or project maintain any information describing how an
individual exercises their rights guaranteed by the First Amendment?
United States Department of Housing and Urban Development
November 20, 2017
19
Section 4.4(h) If the system or project maintains information describing how an individual exercises
their rights guaranteed by the First Amendment, do any of the following exceptions apply (the
information may be maintained if any of the exceptions apply)?
☒ N/A (system or project does not maintain any information describing how an individual exercises
their rights guaranteed by the First Amendment so no exceptions are needed)
☐ The individual about whom the information was collected or maintained expressly
authorizes its collection/maintenance.
☐ The information maintained is pertinent to and within the scope of an authorized law
enforcement activity.
☐ There is a statute that expressly authorizes its collection.
☒ N/A, the system or project does not maintain any information describing how any
individual exercises their rights guaranteed by the First Amendment.
Section 5: Maintenance, use, and sharing of the information
The following sections require a clear description of the system’s or project’s use of information.
Section 5.1: Describe how and why the system or project uses the information it
collects and maintains
Please describe all of the uses of the information types and groupings collected and maintained
by the system or project (see Section 4.2), including a discussion of why the information is used
for this purpose and how it relates to the mission of the office that owns the system.
The information that is being collected as part of the site visit interviews to enable the study team to
carry out qualitative data analysis. The information that is being collected as part of the
administrative analysis and will be used to enable the study team to conduct the FSS Supervisor,
Case Manager, FSS Coordinator (staff) and FSS Participant surveys. The information that is being
collected from these surveys will be reported in the aggregate to present summary, aggregate level
United States Department of Housing and Urban Development
November 20, 2017
20
information about what FSS providers do, understand the people they serve and how the FSS
program services impact their lives. All information will be reported in aggregate, and the
aggregate data would be scrubbed prior to any data submission to HUD. FSS participant data will
be destroyed upon completion of the interviews. Site visit interview data will be scrubbed and any
names, phone numbers, and business email addresses will be destroyed upon completion of the site
visit notes. Full names and business email addresses will be destroyed upon completion of the
survey. No names, phone numbers, or business email addresses will be retained or linked to any
other data provided by any of the service coordinators or FSS participants. MDRC’s Institutional
Review Board, which provides an independent, rigorous, human subjects review, has reviewed and
approved the methodology and instruments as providing sufficient human subject and privacy
protection.
A 60-day Federal Register notice was published on July 14, 2017: “Family Self-Sufficiency (FSS)
Program Demonstration,” Docket No. FR-6003-N-06. The information collected for this study is
covered by OMB Control #2528-0296.
Collecting Information Directly from the Individual When Using it to Make Adverse
Determinations About Them
The Privacy Act requires that Federal agencies “collect information to the greatest extent
practicable directly from the subject individual when the information may result in adverse
determinations about an individual’s rights, benefits, and privileges under Federal programs.” 5
U.S.C. § 552a(e)(2).
Section 5.1(a) ☐ Yes ☒ No Is it possible that the information maintained in the system or by the
project may be used by HUD to make an adverse determination about an individual’s rights, benefits,
and privileges under federal programs (e.g., decisions about whether the individual will receive a
financial benefit, get a clearance or access to a HUD facility, obtain employment with HUD)?
Section 5.1(b) ☐ Yes ☒ No Is it possible that HUD will share information maintained in the system
or by the project with a third-party external to the Department that will use the information to make
an adverse determination about an individual’s rights, benefits, and privileges under federal
programs?
Section 5.1(c) ☐ Yes ☐ No ☒ N/A If information could potentially be used to make an adverse
determination about an individual’s rights, benefits, and privileges under federal programs, does the
system or project collect information (to the greatest extent practicable) directly from the individual?
The purpose of this data system is to conduct research about the Family Self-Sufficiency program,
not to make any determination about an individual’s rights, benefits, or privileges under any
federal programs.
United States Department of Housing and Urban Development
November 20, 2017
21
Data Mining
As required by Section 804 of the Implementing the 9/11 Commission Recommendations Act of
2007 (“9-11 Commission Act”), HUD reports annually to Congress on its data mining activities.
Section 5.1(d) ☐ Yes ☒ No Is information maintained in the system or by the project used to
conduct “data-mining” activities as that term is defined in the Implementing the 9-11 Commission
Act?
No data mining is occurring as part of this study.
Section 5.2: Ensuring accuracy, completeness, and timeliness of information
collected, maintained, and shared
Exemption from Accuracy, Relevance, Timeliness, and Completeness Requirements
The Privacy Act requires that Federal agencies “maintain all records which are used by the
agency in making any determination about any individual with such accuracy, relevance,
timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the
determination.” 5 U.S.C § 552a(e)(5). If a particular system of records meets certain
requirements (including the NPRM process defined in Section 2 above), an agency may exempt
the system of records (or a portion of the records) from this requirement.
Section 5.2(a) ☐ Yes ☒ No Is all or any portion of the information maintained in the system or by
the project: (a) part of a system of records and (b) exempt from the accuracy, relevance, timeliness,
and completeness requirements in sections (e)(5) of the Privacy Act?
The information that is being collected as part of the site visit interviews to enable the study team to
carry out qualitative data analysis. The information that is being collected as part of the administrative
analysis and will be used to enable the study team to conduct the FSS Supervisor, Case Manager, FSS
Coordinator (staff) and FSS Participant surveys. The information that is being collected from these
surveys will be reported in the aggregate to present summary, aggregate level information about what
FSS providers do, understand the people they serve and how the FSS program services impact their
lives. All information will be reported in aggregate, and the aggregate data would be scrubbed prior to
any data submission to HUD. FSS participant data will be destroyed upon completion of the
interviews. Site visit interview data will be scrubbed and any names, phone numbers, and business
email addresses will be destroyed upon completion of the site visit notes. Full names and business
email addresses will be destroyed upon completion of the survey. No names, phone numbers, or
business email addresses will be retained or linked to any other data provided by any of the service
coordinators or FSS participants. MDRC’s Institutional Review Board, which provides an independent,
rigorous, human subjects review, has reviewed and approved the methodology and instruments as
providing sufficient human subject and privacy protection.
United States Department of Housing and Urban Development
November 20, 2017
22
A 60-day Federal Register notice was published on July 14, 2017: “Family Self-Sufficiency (FSS)
Program Demonstration,” Docket No. FR-6003-N-06. The information collected for this study is
covered by OMB Control #2528-0296.
Computer Matching
The Computer Matching and Privacy Protection Act of 1988 amended the Privacy Act imposing
additional requirements when Privacy Act systems of records are used in computer matching
programs.
Pursuant to the Privacy Act, as amended, there are two distinct types of matching programs. The
first type of matching program involves the computerized comparison of two or more automated
federal personnel or payroll systems of records or a system of federal personnel or payroll
records with non-federal records. This type of matching program may be conducted for any
purpose. The second type of matching program involves the computerized comparison of two or
more automated systems of records or a system of records with non-federal records. The
purpose of this type of matching program must be for the purpose of eligibility determinations or
compliance requirements for applicants, recipients, beneficiaries, participants, or providers of
services for payments or in-kind assistance under federal benefit programs, or recouping
payments or delinquent debts under such federal benefit programs. See 5 U.S.C. § 522a(a)(8).
Matching programs must be conducted pursuant to a matching agreement between the source
and recipient agencies. The matching agreement describes the purpose and procedures of the
matching and establishes protections for matching records.
Section 5.2(b) ☐ Yes ☒ No Is any of the information maintained in the system or by the project (a)
part of a system of records and (b) used as part of a matching program?
Section 5.2(c) ☐ Yes ☒ No ☐ N/A Is there a matching agreement in place that contains the
information required by Section (o) of the Privacy Act?
Section 5.2(d) ☐ Yes ☐ No ☒ N/A Are assessments made regarding the accuracy of the records
that will be used in the matching program?
Section 5.2(e) ☐ Yes ☐ No ☒ N/A Does the office that owns the system or project independently
verify the information, provide the individual notice and an opportunity to contest the findings, or
United States Department of Housing and Urban Development
November 20, 2017
23
obtain Data Integrity Board approval in accordance with Section (p) of the Privacy Act before taking
adverse action against the individual?
There is no matching program.
Ensuring Fairness in Making Adverse Determinations About Individuals
Federal agencies are required to “maintain all records which are used by the agency in making
any determination about any individual with such accuracy, relevance, timeliness, and
completeness as is reasonably necessary to assure fairness to the individual in the
determination.” 5 U.S.C. § 552a(e)(5). This requirement also applies when merging records
from two or more sources where the merged records are used by the agency to make any
determination about any individual.
Section 5.2(f) ☐ Yes ☒ No
With respect to the information maintained in the system or by the project,
are steps taken to ensure all information used to make a determination about an individual is maintained with
such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the
individual in the determination? to make determinations about an individuals selected “no” because you do
not use information in the system or project to make determinations about individuals
The system is for research purposes only and is not involved in any determinations about individuals.
Merging Information About Individuals
Section 5.2(g) ☒ Yes ☐ No Is information maintained in the system or by the project merged
with electronic or non-electronic information from internal or external sources (e.g., other files or
systems)?
The only purpose of any merging is to compare the results from the PHA site visits to HUD
administrative records to verify information provided at the site visit.)
Section 5.2(h) ☐ Yes ☒ No ☐ N/A Once merged, is the information used in making
determinations about individuals (e.g., decisions about whether the individual will receive a
financial benefit or payment, get a clearance or access to a HUD facility, obtain employment with
HUD, etc.)?
Section 5.2(i) ☒ Yes ☐ No ☐ N/A Are there documented policies or procedures for how
information is merged?
United States Department of Housing and Urban Development
November 20, 2017
24
Section 5.2(j) ☐ Yes ☒ No ☐ N/A Do the documented policies or procedures address how to
proceed when partial matches (where some, but not all of the information being merged matches
a particular individual) are discovered after the information is merged? The agreements
mentioned above define the match criteria.
Section 5.2(k) ☐ Yes ☒ No ☒ N/A If information maintained in the system or by the project is
used to make a determination about an individual, are steps taken to ensure the accuracy,
relevance, timeliness, and completeness of the information as is reasonably necessary to assure
fairness to the individual?
The system is for research purposes only and is not involved in any determinations about
individuals.
Policies and Standard Operating Procedures or Technical Solutions Designed to
Ensure Information Accuracy, Completeness, and Timeliness
Section 5.2(l) ☐ Yes ☒ No ☐ N/A If information maintained in the system or by the project is
used to make any determination about an individual (even if it is an exempt system of records),
are there documented policies or standard operating procedures for the system or project that
address the accuracy, completeness, and timeliness of the information? :
Section 5.2(m) ☐ Yes ☒ No Does the system or project use any software or other technical
solutions designed to improve the accuracy, completeness, and timeliness of the information used
to make an adverse determination about an individual's rights, benefits, and/or privileges
(regardless of if it is an exempt system of records)?
The system is for research purposes only and is not involved in any determinations about
individuals. During the analysis, the study team reviews the data to be sure it is complete and
accurate. If there are any questions, they go back to the source to resolve.
Accuracy, Completeness, and Timeliness of Information Received from the Source
United States Department of Housing and Urban Development
November 20, 2017
25
Section 5.2(n) ☒ Yes ☐ No Did HUD receive any guarantee, assurance, or other information
from any information source(s) regarding the accuracy, timeliness and completeness of the
information maintained in the system or by the project?
The contract with MDRC and its subcontractor, M. Davis, provides a guarantee and assurance of
the accuracy, timeliness, and completeness of the information maintained in the system.
Disseminating Notice of Corrections of or Amendments to PII
Section 5.2(o) ☐ Yes ☐ No ☒ N/A Where feasible and appropriate, is there a process in place
for disseminating corrections of or amendments to the PII maintained in the system or by the
project to all internal and external information-sharing partners?
Section 5.2(p) ☐ Yes ☐ No ☒ N/A Where feasible and appropriate, does the process for
disseminating corrections or amendments include notifying the individual whose information is
corrected or amended?
This data system is for research purposes only and not related to any corrections or amendments
to the PII maintained in any system related to any internal or external information-sharing
partners.
Section 5.3: Information sharing within the Department of Housing and Urban
Development
Internal Information Sharing
Section 5.3(a) ☐ Yes ☒ No Is PII maintained in the system or by the project shared with other
HUD bureaus?
No PII will be shared with anyone at HUD or outside of the study team.
Section 5.3(b) ☐ Yes ☐ No Does Housing and Urban Development office that receives the PII
limit access to those HUD officers and employees who have a need for the PII in the performance
of their official duties (i.e., those who have a “need to know”)?
N/A because there is no approved sharing of PII from MDRC with anyone at HUD.
Memorandum of Understanding/Other Agreements Limiting HUD’s Internal
Use/Disclosure of PII
United States Department of Housing and Urban Development
November 20, 2017
26
Section 5.3(c) ☒ Yes ☐ No ☐ N/A Is any of the PII maintained in the system or by the project
subject to the requirements of a Memorandum of Understanding or other agreement (e.g.,
agreement with another federal or state agency that provided the information to Housing and
Urban Development or subject to an international agreement or treaty) that limits or places
conditions on HUD’s internal use, maintenance, handling, or disclosure of the PII?
There is a contract and in place between HUD and MDRC, and a Consent Form approved by OMB
established between MDRC and the study participants. (See Federal Register Notice, Docket No. FR5613-N-07 published on 7/17/2012.) The information collected for this study is covered by OMB
Control #2528-0296.
Internal Information Sharing Chart
Internal Recipient’s Name (e.g., or office)
MDRC
Purpose of the Sharing
N/A. There is no internal sharing of PII.
PII Shared
Applicable Statutory or Regulatory or Restrictions
on Information Shared
Applicable Restrictions Imposed by Agreement on
Information Shared (e.g., by HUD agreement with
the party that provided the information to HUD)
Name and Description of MOU or Other
Agreement Restricting HUD’s Internal Use,
Maintenance, Handling, or Sharing of PII Received
Method of PII Transfer (e.g., paper/oral
disclosures/magnetic disk/portable
device/email/fax/other (please describe if other)
There is no transfer of PII or sharing of PII with HUD or
anyone outside of the research team.
Section 5.4: Information sharing with external (i.e., outside HUD) organizations and
individuals
External Information Sharing
Section 5.4(a) ☐ Yes ☒ No Is PII maintained in the system or by the project shared with agencies,
organizations, or individuals external to HUD?
There is no sharing of PII outside of the study team.
United States Department of Housing and Urban Development
November 20, 2017
27
Accounting of Disclosures
Section 5.4(b) ☐ Yes ☐ No ☒ N/A With respect to records maintained in the system or by the
project that are subject to the Privacy Act, do you maintain a paper or electronic log or other
record of the date, nature, and purpose of each disclosure (not including intra-agency disclosures
and FOIA disclosures) of a record to any person or to another agency (outside of HUD) and the
name and address of the person or agency to whom the disclosure is made? See 5 U.S.C §
552a(c).
Section 5.4(c) ☐ Yes ☐ No ☒ N/A If you do not keep a running tabulation of every disclosure at
the time it is made, are you able to reconstruct an accurate and complete accounting of
disclosures so as to be able to respond to Privacy Act requests in a timely fashion?
Section 5.4(d) ☐ Yes ☐ No ☒ N/A With respect to records maintained in the system or by the
project that are subject to the Privacy Act, do you retain the log or other record of the date,
nature, and purpose of each disclosure, for at least five years or the life of the record, whichever is
longer, after the disclosure for which the accounting is made?
Section 5.4(e) ☐ Yes ☒ No ☐ N/A With respect to records maintained in the system or by the
project that are subject to the Privacy Act, does your or office exempt the system of records (as
allowed by the Privacy Act in certain circumstances) from the requirement to make the accounting
available to the individual named in the record?
Section 5.4(f) ☐ Yes ☒ No ☐ N/A With respect to records maintained in the system or by the
project that are subject to the Privacy Act, does your or office exempt the system of records (as
allowed by the Privacy Act in certain circumstances) from the requirement to inform any person
or other agency about any correction or notation of dispute made by the agency of any record
that has been disclosed to the person or agency if an accounting of the disclosure was made?
There is no non-compliance or basis for exemption from the Privacy Act which mitigates against
any privacy and civil liberties risks.
Statutory or Regulatory Restrictions on Disclosure
Section 5.4(g) ☒ Yes ☐ No In addition to the Privacy Act, are there any other statutory or
regulatory restrictions on the sharing of any of the PII maintained in the system or by the project
(e.g., 26 U.S.C § 6103 for tax returns and return information)?
United States Department of Housing and Urban Development
November 20, 2017
28
12 U.S.C. §1701z-1 established PD&R and its authority to conduct research. 12 U.S.C. 1701z-2(g)
Information and data, gives PD&R the authority to request personal information from people. (See
Federal Register Notice, Docket No. FR-5613-N-07 published on 7/17/2012.) The information
collected for this study is covered by OMB Control #2528-0296.
Memorandum of Understanding Related to External Sharing
Section 5.4(h) ☒ Yes ☐ No ☐ N/A Has HUD executed a Memorandum of Understanding, or
entered into any other type of agreement, with any external agencies, organizations, or
individuals with which/whom it shares PII maintained in the system or by the project?
HUD executed a contract with MDRC in March 2012 to conduct the Family Self-Sufficiency
Program evaluation, and data collection activities are subject to the Privacy Act, a HUD-MDRC,
and OMB-approved consent forms that MDRC has established with the study participants. (See
Federal Register Notice, Docket No. FR-5613-N-07 published on 7/17/2012.) The information
collected for this study is covered by OMB Control #2528-0296.
Memorandum of Understanding Limiting HUD’s Use or Disclosure of PII
Section 5.4(i) ☒ Yes ☐ No Is any of the PII maintained in the system or by the project subject to
the requirements of a Memorandum of Understanding or other agreement (e.g., agreement with
another federal or state agency, an international agreement or treaty, or contract with private
vendor that provided the information to HUD) that limits or places conditions on HUD’s internal
use or external (i.e., outside HUD) sharing of the PII?
HUD executed a contract with MDRC in March 2012 to conduct the Family Self-Sufficiency
Program evaluation, and their data collection is subject to the Privacy Act, a HUD-MDRC, and
OMB-approved consent forms that MDRC have established with the study participants. The
information collected for this study is covered by OMB Control #2528-0296. (See Federal Register
Notice, Docket No. FR-5613-N-07 published on 7/17/2012.)
All of these agreements preclude MDRC from sharing any PII with HUD or any other external
entity.
Memorandum of Understanding Limiting External Party’s Use or Disclosure of PII
Section 5.4(j) ☐ Yes ☒ No Is any of the PII maintained in the system or by the project subject
to the requirements of a Memorandum of Understanding or other agreement in which HUD limits
or places conditions on an external party’s use, maintenance, handling, or disclosure of PII shared
by HUD?
United States Department of Housing and Urban Development
November 20, 2017
29
HUD executed a contract with MDRC in March 2012 to conduct the Family Self-Sufficiency
Program evaluation, and their data collection is subject to the Privacy Act, a HUD-MDRC, and
OMB-approved consent forms that MDRC has executed with the study participants(See Federal
Register Notice, Docket No. FR-5613-N-07 published on 7/17/2012.) The information collected for
this study is covered by OMB Control #2528-0296.
External Information Sharing Chart
Section 5.4(k) ☐ Yes ☒ No Is information from the system or project shared externally?
External Recipient’s
Name
Purpose of the Sharing
PII Shared
Content of Applicable
Routine Use/Citation to
the SORN
Applicable Statutory or
Regulatory or
Restrictions on
Information Shared
Name and Description of
Relevant MOUs or Other
Agreements Containing
Sharing Restrictions
Imposed on HUD by an
External Source or
Source/Originating
Agency (including
description of
restrictions imposed on
use, maintenance, and
disclosure of PII)
Name and Description of
Relevant MOUs or Other
Agreements Containing
Restrictions Imposed by
HUD on External Sharing
United States Department of Housing and Urban Development
November 20, 2017
30
Partner (including
description of
restrictions imposed on
use, maintenance, and
disclosure of PII)
Method(s) Used to
Transfer PII (e.g., paper/
oral
disclosures/magnetic
disk/portable
device/email fax/other
(please describe if other)
There is no external sharing of information based on the contract, and a NDA is in place between
HUD and MDRC. A Consent Form is in place between the MDRC and the study participants. The
information collected for this study is covered by OMB Control #2528-0296.
Obtaining Consent Prior to New Disclosures Not Included in the SORN or Authorized
by the Privacy Act
Section 5.4(l) ☒ Yes ☐ No ☐ N/A Is the individual’s consent obtained, where feasible and
appropriate, prior to any new disclosures of previously collected records in a system of records
(those not expressly authorized by the Privacy Act or contained in the published SORN (e.g., in the
routine uses))?
Consent is required by the MDRC’s Institutional Review Board, by the consent form and was
approved by OMB. (See Federal Register Notice, Docket No. FR-5613-N-07 published on
7/17/2012.) The information collected for this study is covered by OMB Control #2528-0296.
United States Department of Housing and Urban Development
November 20, 2017
31
Section 6: Compliance with federal information management
requirements
Responses to the questions below address the practical, policy, and legal consequences of
failing to comply with one or more of the following federal information management
requirements (to the extent required) and how those risks were or are being mitigated: (1) the
Privacy Act System of Records Notice Requirement; (2) the Paperwork Reduction Act; (3) the
Federal Records Act; (4) the E-Gov Act security requirements; and (5) Section 508 of the
Rehabilitation Act of 1973.
Section 6.1: Privacy Act System of Records Notice (SORN)
For collections of PII that meet certain requirements, the Privacy Act requires that the agency
publish a SORN in the Federal Register.
System of Records
Section 6.1(a) ☒ Yes ☐ No Does the system or project retrieve records about an individual using
an identifying number, symbol, or other identifying particular assigned to the individual? (see
items selected in Section 4.2 above)
Section 6.1(b) ☐ Yes ☒ No ☐ N/A Was a SORN published in the Federal Register for this system
of records?
Section 6.2: The Paperwork Reduction Act
The PRA requires OMB approval before a Federal agency may collect standardized data from 10
or more respondents within a 12-month period. OMB requires agencies to conduct a PCLIA (a
HUD PCLIA) when initiating, consistent with the PRA, a new electronic collection of PII for 10
or more persons (excluding agencies, instrumentalities, or employees of the federal government).
Paperwork Reduction Act Compliance
Section 6.2(a) ☒ Yes ☐ No Does the system or project maintain information obtained from individuals and
organizations who are not federal personnel or an agency of the federal government (i.e., outside the federal
government)?
Section 6.2(b) ☒ Yes ☐ No ☐ N/A Does the project or system involve a new collection of information in
identifiable form for 10 or more persons from outside the federal government?
Section 6.2(c) ☒ Yes ☐ No ☐ N/A Did the project or system complete an Information Collection Request
(“ICR”) and receive OMB approval?
United States Department of Housing and Urban Development
November 20, 2017
32
The information collected for this study is covered by OMB Control #2528-0296.
Section 6.3: Records Management - NARA/Federal Records Act Requirements
Records retention schedules determine the maximum amount of time necessary to retain
information in order to meet the needs of the project or system. Information is generally either
disposed of or sent to the National Archives and Records Administration (NARA) for permanent
retention upon expiration of this period.
NARA Records Retention Requirements
Section 6.3(a) ☒ Yes ☐ No Are the records used in the system or by the project covered by
NARA’s General Records Schedules (“GRS”) or HUD/ Specific Records Schedule (SRS)?
Section 6.3(b) ☒ Yes ☐ No Did NARA approve a retention schedule for the records
maintained in the system or by the project?
Section 6.3(c) ☐ Yes ☐ No ☒ N/A If NARA did not approve a retention schedule for the records
maintained in the system or by the project and the records are not covered by NARA’s GRS or
HUD/ SRS, has a draft retention schedule (approved by all applicable HUD officials) been
developed for the records used in this project or system?
2225.6 REV-1, Appendix 67, Records Disposition Schedule 67 PD&R, Item No. 5
Project case files reflecting a complete history of each project from initiation
through research, development, design. testing, and demonstration.
Disposition
Retire to Federal Records Center 3 years after satisfactory close of project that volume warrants.
Destroy 6 years after satisfactory close of project. (NARA Job NCl-207-78-6, item 5).
https://portal.hud.gov/hudportal/documents/huddoc?id=22256x67ADMH.pdf
Section 6.4: E-Government Act/NIST Compliance
The completion of Federal Information Security Management Act (“FISMA”) Security
Assessment & Authorization (SA&A) process is required before a federal information system
may receive Authority to Operate (“ATO”). Different security requirements apply to National
Security Systems.
Federal Information System Subject to FISMA Security Assessment and Authorization
United States Department of Housing and Urban Development
November 20, 2017
33
Section 6.4(a) ☐ Yes ☐ No ☒ N/A Is the system a federal information system subject to FISMA
requirements?
Section 6.4(b) ☐ Yes ☐ No ☒ N/A Has the system or project undergone a SA&A and received
ATO?
Access Controls and Security Requirements
Section 6.4(c) ☒ Yes ☐ No Does the system or project include access controls to ensure limited
access to information maintained by the system or project?
Only the MDRC research team can access the information/data collected.
Security Risks in Manner of Collection
Section 6.4(d) ☐ Yes ☒ No In Section 4.3 above, you identified the sources for information used
in the system or project and the method and manner of collection. Were any security, privacy, or
civil liberties risks identified with respect to the manner in which the information is collected from
the source(s)?
Security Controls When Sharing Internally or Externally
Section 6.4(e) ☒ Yes ☐ No ☐ N/A Are all HUD/ security requirements met in the method of
transferring information (e.g., bulk transfer, direct access by recipient, portable disk, paper) from
Housing and Urban Development project or system to internal or external parties?
The contract and NDA with MDRC specifies that they are to comply with HUD security requirements.
Monitoring of Individuals
Section 6.4(f) ☐ Yes ☒ No Will this system or project have the capability to identify, locate, and
monitor individuals or groups of people?
There is no monitoring of individuals.
Audit Trails
Section 6.4(g) ☐ Yes ☒ No Are audit trails regularly reviewed for appropriate use, handling, and
disclosure of PII maintained in the system or by the project inside or outside of the Department?
There is no disclosure of PII by the project inside or outside of the MDRC research team.
Section 6.5: Section 508 of the Rehabilitation Act of 1973
United States Department of Housing and Urban Development
November 20, 2017
34
When Federal agencies develop, procure, maintain, or use Electronic and Information
Technology (“EIT”), Section 508 of the Rehabilitation Act of 1973 (as amended in 1998)
requires that individuals with disabilities (including federal employees) must have access and use
(including privacy policies and directives as well as redress opportunities) that is comparable to
that which is available to individuals who do not have disabilities.
Applicability of and Compliance With the Rehabilitation Act
Section 6.5(a) ☐ Yes ☒ No Will the project or system involve the development, procurement,
maintenance or use of EIT as that term is defined in Section 508 of the Rehabilitation Act of 1973
(as amended in 1998)? The Rehabilitation Act is not applicable
Section 6.5(b) ☐ Yes ☒ No ☐ N/A Does the system or project comply with all Section 508
requirements, thus ensuring that individuals with disabilities (including federal employees) have
access and use (including access to privacy and civil liberties policies) that is comparable to that
which is available to individuals who do not have disabilities?
This is not a public facing system, so the impact of the lack of Section 508 compliance is
minimized.
United States Department of Housing and Urban Development
November 20, 2017
35
Section 7: Redress
Access Under the Freedom of Information Act and Privacy Act
Section 7.0(a) ☒ Yes ☐ No Does the agency have a published process in place by which
individuals may seek records under the Freedom of Information Act and Privacy Act?
The HUD FOIA and PA disclosure regulations can be found at 24 CFR Pt. 15 (2001) and 24 CFR 16.1.
Privacy Act Access Exemption
Section 7.0(b) ☐ Yes ☒ No Was any of the information that is maintained in system of records
and used in the system or project exempted from the access provisions of the Privacy Act?
Additional Redress Mechanisms
Section 7.0(c) ☐ Yes ☒ No With respect to information maintained by the project or system
(whether or not it is covered by the Privacy Act), does the or office that owns the project or
system have any additional mechanisms other than Privacy Act and FOIA remedies (e.g., a
customer satisfaction unit; a complaint process) by which an individual may request access to
and/or amendment of their information and/or contest adverse determinations about denial of
their rights, benefits, and privileges under federal programs (e.g., decisions about whether the
individual will receive a financial benefit, get a clearance or access to a HUD facility, obtain
employment with HUD)?
There is contact information on the consent forms where individuals can ask questions or
withdraw future participation from the study. This is a research study and so there is not
involvement of rights, benefits, or privileges under federal programs.
United States Department of Housing and Urban Development
November 20, 2017
36
Responsible Officials
Helen Goff Foster
Senior Agency Official for Privacy
U.S. Department of Housing and Urban Development
Elizabeth A. Cocke
Division Director
Affordable Housing Research and Technology Division
Office of Policy Development and Research
U.S. Department of Housing and Urban Development
Regina C. Gray
Social Science Analyst and Contracting Officer’s Technical Representative
Affordable Housing Research and Technology Division
Office of Policy Development and Research
U.S. Department of Housing and Urban Development
Approval Signature
HELEN FOSTER
Digitally signed by HELEN
FOSTER
Date: 2017.11.20 10:06:17
-05'00'
________________________________
Helen Goff Foster
Senior Agency Official for Privacy
U.S Department of Housing Urban and Development
United States Department of Housing and Urban Development
November 20, 2017
37
File Type | application/pdf |
File Title | Microsoft Word - PCLIA FSS (rcg 10.20.17).docx |
Author | h18426 |
File Modified | 2017-11-20 |
File Created | 2017-11-20 |