Pia

Att 7-PIA_18AVE approved 12-11-2018.pdf

Formative Research and Tool Development

PIA

OMB: 0920-0840

Document [pdf]
Download: pdf | pdf
Save

Privacy Impact Assessment Form
v 1.21
Status

Form Number

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

0920-18AVE New GenIC

2a Name:

Pathways: Qualitative Interviews with Post-Partum Women Asso
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Initiation
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

No
Yes
No
Agency
Contractor
POC Title

Public Health Advisor

POC Name

Jennine Kinsey

POC Organization (DSTDP)/SABRE
POC Email

[email protected]

POC Phone

404-639-6339
New
Existing
Yes
No

8b Planned Date of Security Authorization
Not Applicable

Page 1 of 9

Save
8c

Briefly explain why security authorization is not
required

Not applicable

10

Describe in further detail any changes to the system
that have occurred since the last PIA.

Not applicable
The purpose of this qualitative information collection is to
better understand and identify factors that result in deviations
from the “ideal” pregnancy narrative, as well as factors that are
protective, supportive, or that appear to facilitate access to and
use of timely and adequate prenatal care and syphilis diagnosis
and treatment during pregnancy.

11 Describe the purpose of the system.

We will 1) document women associated with congenital
syphilis (CS) cases and their recollections of and perspectives
about their pregnancy and prenatal care experience, 2)
attempt to identify potential protective or supportive factors
that would facilitate care and reduce the risk of CS, and 3)
identify strategies to reach vulnerable women and increase
awareness of the risks of CS during pregnancy.
Findings from the qualitative interviews will help increase
sexually transmitted disease (STD) program capacity to reach
women at risk for CS, and will prevent CS cases by identifying
strategies for improving outreach and education to women at
risk for CS.

The recruitment script collects the participant's name that is
used by the public health department during the recruitment
effort. The recruiter will also ask the potential participant to
confirm their identity by verifying their date of birth, which the
Describe the type of information the system will
health department representative will already have in addition
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask to the participant's name.
about the specific data elements.)
The "Recruitment Verification Form" is completed by the health
department recruiter, who records date, respondent's name,
phone number, email address and willingness to participate in
the study.

Page 2 of 9

Save
The planned study design will use purposive, targeted
sampling to recruit 60 case mothers to participate in an
interview from all women identified as CS case mothers in
2015, 2016, or 2017 in the three sites.

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

Data will be collected from 60 semi-structured, 90-minute long,
in-person qualitative interviews using a timeline elicitation
method. Data will be collected from case mothers in three
CDC-funded jurisdictions: the states of California and Florida
and the metropolitan statistical area (MSA) of Chicago. The
number of interviews to be conducted in each site will be
based on weighted averages related to disease burden, but will
be approximately 20 per location. Qualitative coding and
thematic analysis of 60 in-depth interview transcripts using
computer-assisted qualitative data analysis software Nvivo 11.
The in-depth interviews will primarily include open-ended
questions with some closed-ended questions designed to elicit
information on participants' pregnancy, prenatal care, and
syphilis diagnosis experiences related to those events. Key
variables to be explored through the interviews include
demographics, experiences of pregnancy diagnoses, prenatal
care during 1st, 2nd, and 3rd trimester, syphilis diagnosis, and
post pregnancy experiences.
Although name, date of birth, phone number, and email
address data are collected, they will not be transmitted to CDC
nor will any record be retrievable by any element of PII. None
of the PII is linked to the study questions or study data.
Yes

14 Does the system collect, maintain, use or share PII?

Indicate the type of PII that the system will collect or
15
maintain.

No
Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID

Other...

Other...

Other...

Other...

Other...

Page 3 of 9

Save
Employees
Public Citizens
16

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

100-499
The primary purpose of PII is to recruit potential case mothers
to the study.
Not applicable

20 Describe the function of the SSN.

Not applicable

20a Cite the legal authority to use the SSN.

Not applicable

21

Identify legal authorities governing information use This request is authorized by Title III – General Powers and
Duties of the Public Health Service, Section 301 (241.)a.
and disclosure specific to the system and program.
Research and investigations generally (Attachment 1).

22

Are records on the system retrieved by one or more
PII data elements?

Yes
No
Published:

Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.

Published:
Published:
In Progress

Page 4 of 9

Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

0290-0840 (18AVE)
Yes
No
Within HHS

Identify with whom the PII is shared or disclosed and
24a
for what purpose.

Other Federal
Agency/Agencies
State or Local
Agency/Agencies
Private Sector

Describe any agreements in place that authorizes the
information sharing or disclosure (e.g. Computer
24b Matching Agreement, Memorandum of
Understanding (MOU), or Information Sharing
Agreement (ISA)).
24c

Describe the procedures for accounting for
disclosures

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

Participants will be notified in writing in the consent form
during the consent process that their personal information will
be collected. The consent process which is a discussion
between the participant and the study staff notifies individuals
that their PII will be collected.
Voluntary
Mandatory

Page 5 of 9

Save
Participants may withdraw or revoke their permission to use
and disclose PII at any time. This will be done by sending a
Describe the method for individuals to opt-out of the written notice to the local site researchers. Recruitment contact
collection or use of their PII. If there is no option to
information for local site researchers and the recruitment
27
object to the information collection, provide a
verification form are separate from the study data. If
reason.
participants withdraw their permission, no new information
will be gathered and the participant will not participate in the
study.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

There are no major changes expected for this information
collection, however, individuals can be contacted via phone or
email by local study staff to notify them of any major changes
to the system.

Participants will be provided contact information and
instruction to contact either the grantee principal investigators
or CDC’s Human Research Protection Office.
The PII collected is held at the local sites. The local sites will
confirm the accuracy of the information each time they contact
a participant by phone, email, and/or during study visits.
If local site staff are unable to contact the participant after
multiple attempts, the participant will be withdrawn from
future study visits.
Users

Users include local site staff involved in
the study for collecting and entering

Administrators
31

Identify who will have access to the PII in the system
and the reason why they require access.

Developers
Contractors
Others

Describe the procedures in place to determine which Roles and responsibilities to access PII will be limited to study
investigators accessing recruitment/retention, survey, and
32 system users (administrators, developers,
interview data. The study data manager has a defined role that
contractors, etc.) may access PII.
will only have access to survey and interview data.

Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

Access to PII will be restricted to Institutional Review Board
(IRB) individuals trained in human subject protections. All PII is
collected for a specific and identifiable purpose with access
restricted to specific job tasks and individuals who perform
those tasks. Access to PII in study data collected for the
purposes of analysis is limited to the study investigators and
data manager.

Page 6 of 9

Save

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

CDC personnel are required to complete the annual OCISO
Security Awareness Training to make them aware of their
responsibilities for protecting the information being collected
and maintained. Local study staff will undergo data security
and confidentiality training annually and will sign a
confidentiality statement before access to study data is
authorized. All local study staff will be knowledgeable about
local data security policy and procedures and researchers will
ensure that the written data security policy is easily accessible.
As part of the IRB approval process, interviewers submit proof
of completion of recent ethics training. This process involves
substantial content regarding privacy and confidentiality.
Interviewers also must commit to CDC that they will comply
with Health and Human Services Protection of Human Subjects
regulations 45 CFR part 46.
All CDC staff earn Scientific Ethics Verification numbers as
required by the IRB for engaging human subjects research.
These numbers are obtained only after completing in-depth
ethics trainings including sections on privacy and
confidentiality.

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

Yes
No
CDC uses the CDC Records Control Schedule for determining
retention and destruction of PII, specifically, section 04-4-40
Surveillance Report of STD Activity, which prescribes that
records be retained and destroyed when no longer needed for
administrative or research purposes or when 30 years old,
whichever comes first.
Technical
Access to the server is controlled using individual access
controls and only authorized users will have access to the data.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Administrative
CDC will not receive or store PII. The CDC study team has
defined that roles and responsibilities to access PII is limited to
only study investigators with have access to recruitment/
retention, survey, and interview data. The study data manager
has a defined role that will only have access to survey and
interview data.
Physical
CDC data will be stored on a secured server at a facility
protected by guards. Additional protections include Personal
Identification Verification (PIV) card access protections. Guards
are also located inside buildings to control ingress and egress.

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.

Reviewer Questions

Answer

Page 7 of 9

Save
Reviewer Questions
1

Are the questions on the PIA answered correctly, accurately, and completely?

Answer
Yes
No

Reviewer
Notes
2

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?

Yes

Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?

Yes

No

Reviewer
Notes
3

No

Reviewer
Notes
4

Does the PIA appropriately describe the PII quality and integrity of the data?

Yes
No

Reviewer
Notes
5

Is this a candidate for PII minimization?

Yes
No

Reviewer
Notes
6

Does the PIA accurately identify data retention procedures and records retention schedules?

Yes
No

Reviewer
Notes
7

Are the individuals whose PII is in the system provided appropriate participation?

Yes
No

Reviewer
Notes
8

Does the PIA raise any concerns about the security of the PII?

Yes
No

Reviewer
Notes
9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?

Yes
No

Reviewer
Notes
10

Is the PII appropriately limited for use internally and with third parties?

Yes
No

Reviewer
Notes
11

Does the PIA demonstrate compliance with all Web privacy requirements?

Yes
No

Page 8 of 9

Save
Reviewer Questions

Answer

Reviewer
Notes
12

Were any changes made to the system because of the completion of this PIA?

Yes
No

Reviewer
Notes

General Comments

OPDIV Senior Official
for Privacy Signature

Jarell
Oshodi -S

Digitally signed by Jarell
HHS Senior
Oshodi -S
Agency Official
Date: 2018.12.11
for Privacy
12:56:17 -05'00'

Page 9 of 9


File Typeapplication/pdf
File Modified0000-00-00
File Created0000-00-00

© 2024 OMB.report | Privacy Policy