Ipa
Privacy Impact Assessment IDIS (6-7-2017).docx
Consolidated Plan, Annual Action Plan & Annual Performance Report
IPA
OMB: 2506-0117
U.S. Department of Housing and
Urban Development
Community Planning and Development
System Development and Evaluation Division
Integrated Disbursement and Information System OnLine
(IDIS) OnLine-C04
Privacy Impact Assessment
Updated June 7, 2017
Abstract
IDIS OnLine collects the names of local projects and activities funded by grants, the amount of funds used for projects and activities, the amount and type of funds spent, the nature of the activity on which the money is spent, and accomplishments resulting from the expenditure of funds. Grantees enter this information into IDIS OnLine. For the , CDBG, ESG, and HOPWA programs, aggregated information on the nature of all beneficiaries for an activity are entered into IDIS OnLine such as the total number of housing units, total number of jobs, total number of persons, total number of households benefiting from the activity, and the income and racial characteristics of the group of beneficiaries for those activities. The HOME and HTF programs require its grantees to report accomplishments by individual households assisted, which consists of the name of the project owner, . and both racial and income characteristics of beneficiaries .
Overview
IDIS OnLine is an existing grants management system used currently by grantees of eight formula grant programs managed by CPD. The first five are Community Development Block Grant (CDBG), HOME Investment Partnerships (HOME), Emergency Shelter Grants (ESG), Housing Opportunities for Persons with AIDS formula (HOPWA), and Housing Trust Fund (HTF) programs. IDIS OnLine also supports three special grant programs established by the 2009 American Recovery and Reinvestment Act (ARRA) including Tax Credit Assistance Program (TCAP), Community Development Block Grant-Recovery (CDBG-R), and Homelessness Prevention & Rapid Re-housing Program (HPRP). All of these grants programs have “back end” review requirements. Collecting the information is necessary to determine if each program's money was spent on eligible activities as well as verify that grantees are complying with all the statutory and regulatory provisions for the use of the grants funds.
IDIS OnLine is accessible via the internet at http://www.hud.gov/offices/cpd/systems/idis/idis.cfm
Click on a link to get to the IDIS OnLine login page. Most grantees save information directly from the web screens; however about 25 of the 1200+ grantees prefer to transmit data to IDIS OnLine using HUD’S Electronic Data Interchange to upload large amounts of data electronically into IDIS OnLine. Grantee internet access utilizes SSL technology with 128 bit encryption.
IDIS OnLine interfaces with LOCCS to allow grantee users to draw program funds. IDIS OnLine also has an Electronic Data Interchange (EDI) function that many larger grantees use to batch-upload activity and accomplishment data and minimize data entry. Now that IDIS OnLine has been modernized to EA-compliant technology, IDIS OnLine is interconnected with CPD’s Grant Management Process (GMP) and there are future plans to link IDIS OnLine with other eGrants systems such as Disaster Recovery Grant Reporting (DRGR).
Section 1.0 Authorities and Other Requirements
1.1 What specific legal authorities and/or agreements permit and define the collection of information by the project in question?
CDBG: The Housing and Community Development (HCD) Act of 1974 authorizes the Secretary to require recipients of assistance under this chapter to submit to him such reports and other information as may be necessary. Section 104(e) of the Housing and Community Development Act of 1974 gives HUD the authority to collect this information from grantees.
CDBG-R: The Housing and Community Development (HCD) Act of 1974 authorizes the Secretary to require recipients of assistance under this chapter to submit to him such reports and other information as may be necessary. Section 104(e) of the Housing and Community Development Act of 1974 gives HUD the authority to collect this information from grantees.
ESG: Grantee reporting in IDIS are derived from 24 CFR parts 85 and 91. HUD is authorized to establish regulations to administer the ESG grant program under section 416 of the McKinney-Vento Homeless Assistance Act. The ESG regulations at 24 CFR 576.57(b) incorporate the administrative requirements under 24 CFR part 85. Under 24 CFR 85.40(b), grantees must submit reports on their performance, and under 24 CFR 85.41, grantees must submit financial reports under. Additionally, as specified under 24 CFR 91.2(a), ESG grantees are subject to the consolidated planning requirements under 24 CFR part 91. Under 24 CFR 91.520, grantees must annually report on their performance in a form prescribed by HUD.
HPRP: American Recovery and Reinvestment Act of 2009 and the Notice of Allocations, Application Procedures, and Requirements for Homelessness Prevention and Rapid Re-housing Program Grantees under the American Recovery and Reinvestment Act of 2009 (HPRP Notice).
TCAP: American Recovery and Reinvestment Act of 2009
HOME: Statute: HOME Investment Partnerships Act-Title II of the Cranston Gonzalez National Affordable Housing Act (P.L. 101-625); Home Regulations are codified at 24 CFR Part 92; PRA OMB Control 2506-0171
HOPWA: Statute: AIDS Housing Opportunity Act, Public Law 101-625, title VIII, §12911, Report: “Any organization or agency that receives a grant under this chapter shall submit to the Secretary, for any fiscal year in which the organization or agency receives a grant under this chapter, a report describing the use of the amounts received, which shall include the number of individuals assisted, the types of assistance provided, and any other information that the Secretary determines to be appropriate.”, and implementing regulations at §574.520.
HTF: The National Housing Trust Fund (HTF) is an affordable housing production program that will complement existing Federal, state and local efforts to increase and preserve the supply of decent, safe, and sanitary affordable housing for extremely low-income households, including homeless families.
HTF was established under Title I of the Housing and Economic Recovery Act of 2008, Section 1131 (Public Law 110-289). Section 1131 of HERA amended the Federal Housing Enterprises Financial Safety and Soundness Act of 1992 (12 U.S.C. 4501 et seq.) (Act) to add a new section 1337, entitled "Affordable Housing Allocation" and a new section 1338, entitled "Housing Trust Fund."
States and state-designated entities are eligible grantees for the HTF. HUD will allocate HTF funds by formula annually.
1.2 What Privacy Act System of Records Notice(s) (SORN(s)) apply to the information?
|
Name of Information Collection Request:
|
OMB Control #:
|
CDBG |
Community Development Block Grant (CDBG) Entitlement Program, State Community Development Block Grant (CDBG) Program, CDBG Urban County/New York Towns Qualification/Requalification Process Consolidated Plan IDIS OnLine Access Request Form |
2506-0077 2506-0085 2506-0170 2506-0117 2506-0171 |
HOME |
HOME Investment Partnerships Program Consolidated Plan IDIS OnLine Access Request Form |
2506-0171 2506-0117 |
ESG |
Consolidated Plan IDIS OnLine Access Request Form |
2506-0117 2506-0171 |
HOPWA |
Housing Opportunities for Persons with AIDS (HOPWA) Program: Competitive Grant Application; Annual Progress Report (APR) for (Competitive Grantees); Consolidated Annual Performance...(Caper) Consolidated Plan IDIS OnLine Access Request Form |
2506-0133 2506-0117 2506-0171 |
TCAP |
Tax Credit Assistance Program (TCAP) Consolidated Plan. IDIS OnLine Access Request Form |
2506-0181 2506-0171 |
CDBG-R |
Community development Block Grant Consolidated Plan Recovery (CDBG-R) Program IDIS OnLine Access Request Form
|
2506-0184 2506-0117 2506-0171 |
HPRP |
Homelessness Prevention and Rapid Re-Housing Program (HPRP) Quarterly Performance Report and Supplement to First Report Consolidated Plan IDIS OnLine Access Request Form |
2506-0186 2506-0117 2506-0171 |
1.3 Has a system security plan been completed for the information system(s) supporting the project?
Authority To Operate (ATO) Date: 5/11/2015 / Authority To Operate Expiration (ATO) 5/11/2018
1.4 Does a records retention schedule approved by the National Archives and Records Administration (NARA) exist?
IDIS Currently follows HUD’s Record Retention Policies and Procedures
1.5 If the information is covered by the Paperwork Reduction Act (PRA), provide the OMB Control number and the agency number for the collection. If there are multiple forms, include a list in an appendix.
|
Name of Information Collection Request:
|
OMB Control #:
|
CDBG |
Community Development Block Grant (CDBG) Entitlement Program, State Community Development Block Grant (CDBG) Program, CDBG Urban County/New York Towns Qualification/Requalification Process Consolidated Plan IDIS OnLine Access Request Form |
2506-0077 2506-0085 2506-0170 2506-0117 2506-0171 |
HOME |
HOME Investment Partnerships Program Consolidated Plan IDIS OnLine Access Request Form |
2506-0171 2506-0117 |
ESG |
Consolidated Plan IDIS OnLine Access Request Form |
2506-0117 2506-0171 |
HOPWA |
Housing Opportunities for Persons with AIDS (HOPWA) Program: Competitive Grant Application; Annual Progress Report (APR) for (Competitive Grantees); Consolidated Annual Performance...(Caper) Consolidated Plan IDIS OnLine Access Request Form |
2506-0133 2506-0117 2506-0171 |
TCAP |
Tax Credit Assistance Program (TCAP) Consolidated Plan. IDIS OnLine Access Request Form |
2506-0181 2506-0171 |
CDBG-R |
Community development Block Grant Consolidated Plan Recovery (CDBG-R) Program IDIS OnLine Access Request Form
|
2506-0184 2506-0117 2506-0171 |
HPRP |
Homelessness Prevention and Rapid Re-Housing Program (HPRP) Quarterly Performance Report and Supplement to First Report Consolidated Plan IDIS OnLine Access Request Form |
2506-0186 2506-0117 2506-0171 |
Section 2.0 Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected, as well as reasons for its collection.
2.1 Identify the information the project collects, uses, disseminates, or maintains.
N/A - Individuals don’t apply – it’s organizations that apply for grants. They collect the information they need to manage the activity.
If the project or system creates new information (for example, a score, analysis, or report) describe how this is done and the purpose of that information.
N/A
If the project receives information from another system, such as a response to a background check, describe the system from which the information originates, including what information is returned and how it is used.
IDIS OnLine interfaces with LOCCS to allow grantee users to draw program funds. IDIS OnLine also has an Electronic Data Interchange (EDI) function that many larger grantees use to batch-upload activity and accomplishment data and minimize data entry. Now that IDIS OnLine has been modernized to EA-compliant technology, IDIS OnLine is interconnected with CPD’s Grant Management Process (GMP) and there are future plans to link IDIS OnLine with other eGrants systems such as Disaster Recovery Grant Reporting (DRGR).
2.2 What are the sources of the information and how is the information collected for the project?
A project may collect information directly from an individual, receive it via computer readable extract from another system, or create the information itself. List the individual(s) providing the specific information identified in 2.1.
If information is being collected from sources other than the individual, including other IT systems, systems of records, commercial data aggregators, and/or other Departments, state the source(s) and explain why information from sources other than the individual is required.
Does your project collect information using different types of technologies such as radio frequency identification data (RFID) devices, video or photographic cameras, or biometric collection devices?
N/A - Individuals don’t apply – it’s organizations that apply for grants. They collect the information they need to manage the activity.
2.3 Does the project use information from commercial sources or publicly available data? If so, explain why and how this information is used.
Commercial data includes information from data aggregators such as Choice Point or Lexis Nexis, where the information was originally collected by a private organization for non-governmental purposes, such as marketing or credit reporting.
Publicly available data includes information obtained from the internet, news feeds, or from state or local public records, such as court records where the records are received directly from the state or local agency, rather than from a commercial data aggregator.
State whether the commercial or public source data is marked within the system.
Example: The commercial data is used as a primary source of information regarding the individual. Alternatively, the commercial data is used to verify information already provided by or about the individual.
N/A - Individuals don’t apply – it’s organizations that apply for grants. They collect the information they need to manage the activity.
2.4 Discuss how accuracy of the data is ensured.
Explain how the project checks the accuracy of the information.
Describe the process used for checking accuracy. If a commercial data aggregator is involved describe the levels of accuracy required by the contract. Sometimes information is assumed to be accurate, or in R&D, inaccurate information may not have an impact on the individual or the project. If the project does not check for accuracy, please explain why.
Describe any technical solutions, policies, or procedures focused on improving data accuracy and integrity of the project.
Example: The project may check the information provided by the individual against any other source of information (within or outside your organization) before the project uses the information to make decisions about an individual.
N/A - Individuals don’t apply – it’s organizations that apply for grants. They collect the information they need to manage the activity.
2.5 Privacy Impact Analysis: Related to Characterization of the Information
Follow the format below.
Privacy Risk: There are no privacy risks due to the absence of PII collected.
Mitigation: N/A
Section 3.0 Uses of the Information
The following questions require a clear description of the project’s use of information.
3.1 Describe how and why the project uses the information.
There are no PII data elements, no SSN are used or collected.
3.2 Does the project use technology to conduct electronic searches, queries, or analyses in an electronic database to discover or locate a predictive pattern or an anomaly? If so, state how HUD plans to use such results.
The system application uses simple key word search for immediate use (search criteria and results are not stored).
3.3 Are there other program office with assigned roles and responsibilities within the system?
The system application uses simple key word search for immediate use (search criteria and results are not stored).
3.4 Privacy Impact Analysis: Related to the Uses of Information
Privacy Risk: There are no privacy risks due to the absence of PII collected.
Mitigation: N/A
Section 4.0 Notice
The following questions seek information about the project’s notice to the individual about the information collected, the right to consent to uses of said information, and the right to decline to provide information.
4.1 How does the project provide individuals notice prior to the collection of information? If notice is not provided, explain why not.
There is no PII information, so no Privacy Act statement is needed.
4.2 What opportunities are available for individuals to consent to uses, decline to provide information, or opt out of the project?
There is no PII information in the system, so there is nothing to decline or consent to use.
4.3 Privacy Impact Analysis: Related to Notice
Privacy Risk: There are no privacy risks due to the absence of PII collected.
Mitigation: N/A
Section 5.0 Data Retention by the project
The following questions are intended to outline how long the project retains the information after the initial collection.
5.1 Explain how long and for what reason the information is retained.
IDIS does not contain any PII data
5.2 Privacy Impact Analysis: Related to Retention
Privacy Risk: There are no privacy risks due to the absence of PII collected.
Mitigation: N/A
Section 6.0 Information Sharing
The following questions are intended to describe the scope of the project information sharing external to the Department. External sharing encompasses sharing with other federal, state and local government, and private sector entities.
6.1 Is information shared outside of HUD as part of the normal agency operations? If so, identify the organization(s) and how the information is accessed and how it is to be used.
HUD does not share IDIS Online information with others, although it allows grantees to download their own data, and it does respond to FOIA requests. The system does store some information, such as the location of shelters, which, if released indiscriminately, could pose a potential violation of safety for those living in the shelter. The IDIS Online system administrator reviews all FOIA disseminations to guarantee that no violations of personal security are breached.
6.2 Describe how the external sharing noted in 6.1 is compatible with the SORN noted in 1.2.
HUD publishes HOME and HTF reports on its website on a monthly and quarterly basis. These reports do not include any PII.
6.3 Does the project place limitations on re-dissemination?
See Answer to question 6.1
6.4 Describe how the project maintains a record of any disclosures outside of the Department.
See Answer to question 6.1
6.5 Privacy Impact Analysis: Related to Information Sharing
Discuss the privacy risks associated with the sharing of information outside of the Department. How were those risks mitigated? Discuss whether access controls have been implemented and whether audit logs are regularly reviewed to ensure appropriate sharing outside of the Department. For example, is there a Memorandum Of Understanding (MOU), contract, or agreement in place with outside agencies or foreign governments.
Discuss how the sharing of information outside of the Department is compatible with the stated purpose and use of the original collection.
Follow the format below.
Privacy Risk: There are no privacy risks due to the absence of PII collected.
Mitigation: N/A
Section 7.0 Redress
The following questions seek information about processes in place for individuals to seek redress which may include access to records about themselves, ensuring the accuracy of the information collected about them, and/or filing complaints.
7.1 What are the procedures that allow individuals to access their information?
There is no PII information therefore redress is N/A
7.2 What procedures are in place to allow the subject individual to correct inaccurate or erroneous information?
There is no PII information therefore redress is N/A
7.3 How does the project notify individuals about the procedures for correcting their information?
There is no PII information therefore redress is N/A
7.4 Privacy Impact Analysis: Related to Redress
Privacy Risk: There is no PII information therefore redress is N/A
Mitigation: N/A
Section 8.0 Auditing and Accountability
The following questions are intended to describe technical and policy based safeguards and security measures.
8.1 How does the project ensure that the information is used in accordance with stated practices in this PIA?
Regular audits are performed to ensure that there is no PII in the system.
8.2 Describe the privacy training that is provided to users either generally or specifically relevant to the project.
N/A - Given that there is no PII in the system.
8.3 What procedures are in place to determine which users may access the information and how will the project determine who has access?
This is governed by NIST Control AC-02 (Account Management), per ATO in effect to May 11, 2018.
8.4 How does the project review and approve information sharing agreements, MOUs, new uses of the information, new access to the system by organizations within HUD and outside?
N/A – There is no PII in the system (thus no MOU’s)
I have carefully assessed the Privacy Impact Assessment (PIA) for [Insert Name of IT System and/ or Information Collection Request]. This document has been completed in accordance with the requirement set forth by the E-Government Act of 2002 and OMB Memorandum 03-22 which requires that "Privacy Impact Assessments" (PIAs) be conducted for all new and/ or significantly altered IT Systems, and Information Collection Requests.
Please check the appropriate statement.
|
The document is accepted. |
|
The document is accepted pending the changes noted. |
|
The document is not accepted. |
Based on our authority and judgment, the data captured in this document is current and accurate.
|
|
|
|
|
|
System Owner |
|
Date |
[PROGRAM OFFICE] |
|
|
|
|
|
|
|
|
|
|
|
Program Area Manager |
|
Date |
[Program Office] |
|
|
|
|
|
|
|
|
|
|
|
Chief Privacy Officer |
|
Date |
Office of Administration |
|
|
U. S. Department of Housing and Urban Development |
|
|
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Davis, Porter B |
| File Modified | 0000-00-00 |
| File Created | 2021-01-21 |
© 2025 OMB.report | Privacy Policy