Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.47.4
Status Draft
Form Number
F-68550
Form Date
Question
Answer
1
OPDIV:
CDC
2
PIA Unique Identifier:
P-1689558-402084
2a Name:
9/25/2018 2:20:45 PM
NCCDPHP Platform (NCCD Platform)
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Implementation
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
8b Planned Date of Security Authorization
No
Yes
No
Agency
Contractor
POC Title
Info Systems Security Officer
POC Name
Cindy Allen
POC Organization CDC/NCCDPHP
POC Email
[email protected]
POC Phone
770-488-5388
New
Existing
Yes
No
October 17, 2018
Not Applicable
Page 1 of 10
Save
11 Describe the purpose of the system.
Chronic diseases can be prevented by eating well, being
physically active, avoiding tobacco and excessive drinking, and
also getting regular health screenings. CDC’s National Center
for Chronic Disease Prevention and Health Promotion
(NCCDPHP) Platform provides a hosting environment for
access to data that helps people and communities prevent
chronic diseases and promotes health and wellness for all.
The NCCDPHP Platform supports:
1) public use data and information;
2) tools for program assessments and data analysis;
3) data visualizations; and
4) administrative tools.
The categories of data on the NCCDPHP Platform (NCCD
Platform) include data and information dissemination, data
collection, administrative, data analysis tools, program
assessment, and data visualization supporting chronic disease
prevention and health promotion.
The types of information contained in the Platform include:
--analyzed datasets
Describe the type of information the system will
--surveillance data
collect, maintain (store), or share. (Subsequent
--promotional materials
12
questions will identify if this information is PII and ask --tool and resources
about the specific data elements.)
--demographics
--health indicators
--contact information
--user credentials (user id, password)
--email address
--resource code
Active Directory (AD) is used for access control/authentication
of CDC users. AD is covered by a separate PIA.
Page 2 of 10
Save
NCCDPHP Platform provides a hosting environment for
applications that support the mission of the National Center
for Chronic Disease Prevention and Health Promotion
(NCCDPHP). The data maintained in the NCCD Platform
supports the planning, implementation, and evaluation of
state and national chronic disease prevention and health
promotion initiatives.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
Data maintained on NCCDPHP Platform includes:
--health related risk data (i.e., tobacco or alcohol use, emerging
health topics)
--public use data sets, statistics, and information
--surveillance, prevalence, and trend data
--print or digital materials, advertisements, public service
announcements, media promotions
--chronic disease related training material and curriculum
--contact information for chronic disease related programs
--scientific citations of CDC publications
--resources to support chronic disease prevention and health
promotion (webinars, model policies, fact sheets, guides,
training materials, pamphlets, brochures); public health project
descriptions and evaluations
--surveillance data
--success stories of positive public health interventions
--chronic disease related training material and curriculum
--responses to program assessment questionnaires
--business contact information (organization name, point of
contact name, email, and telephone numbers)
--demographics of an organization or program (race/ethnic
group, age, gender, education level, size and location of
organization)
Active Directory (AD) is used for access control/authentication
of CDC users. AD is covered by a separate PIA.
14 Does the system collect, maintain, use or share PII?
Yes
No
Page 3 of 10
Save
15
Indicate the type of PII that the system will collect or
maintain.
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
User Name
Employees
Public Citizens
16
Business Partners/Contacts (Federal, state, local agencies)
Indicate the categories of individuals about whom PII
is collected, maintained or shared.
Vendors/Suppliers/Contractors
Patients
Other
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
500-4,999
PII is used to control system access.
--By providing an email address, users can retrieve their login
name or reset their password.
--A user's email address may be used to notify users about
changes.
--PII can be used by CDC to contact users.
20 Describe the function of the SSN.
N/A
20a Cite the legal authority to use the SSN.
N/A
21
Identify legal authorities governing information use
Public Health Service Act, (42 U.S.C. Chapter 6A)
and disclosure specific to the system and program.
22
Are records on the system retrieved by one or more
PII data elements?
Yes
No
Page 4 of 10
Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
24 Is the PII shared with other organizations?
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26
Is the submission of PII by individuals voluntary or
mandatory?
OMB No. 0920-18AAU (SEALS)
OMB No. 0920-1090, exp.12/31/2018
OMB No. 0920-0909, exp. 02/28/2021 (Diabetes Prevention
Recognition Program)
OMB No. 0920-1061, exp. 03/31/2021 (BRFSS)
Yes
No
There is no process in place because PII is not directly solicited
from individuals. In all cases, the PII has been provided directly
by an individual to establish a user account, when a user
requests information, or when provided by a CDC partner.
Voluntary
Mandatory
An individual takes affirmative action to allow the collection or
Describe the method for individuals to opt-out of the use of their PII. An individual’s PII cannot be collected unless
collection or use of their PII. If there is no option to
the individual provides the information.
27
object to the information collection, provide a
reason.
PII from CDC partners is based on a condition of the Notice of
Funding Opportunity
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
Users who provide their email address for access can be
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe contacted via email when major changes occur.
why they cannot be notified or have their consent
obtained.
Page 5 of 10
Save
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
Users can contact CDC directly to resolve any concerns. Each
website includes an email address for such contact. The email
would be routed to the appropriate program within NCCDPHP
to address the concerns.
Since the PII is provided by an individual, no processes are in
place to review the PII for integrity, availability, or accuracy. All
user accounts are reviewed annually for relevancy.
Users
external user: account management;
internal user (CDC): clarification from
external users for data submissions
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
Developers
internal users: for development and
troubleshooting; data updates;
account management
Contractors
Others
Users:
--Internal Users (CDC): CDC project staff or managers authorize
access that is limited to a need-to-know, role-dependent basis
Describe the procedures in place to determine which for staff assigned to a particular project or program.
--External Users: access their own individual information
32 system users (administrators, developers,
contractors, etc.) may access PII.
Developers: The program manager is responsible for ensuring
that personnel have controlled access only to what is relevant
to their specific work on the project. Developers are assigned
roles and responsibilities based on their role in a project.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
End user access to PII is granted based on role and function in
the workflows, and is granted at the lowest level needed to
perform a user's designated role in the workflow.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
CDC staff complete annual IT security and privacy awareness
training.
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
None
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Yes
No
Page 6 of 10
Save
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
User accounts and associated PII are removed when no longer
needed for access. The PII and user accounts are temporary
administrative records and not subject to long term records
retention.
CDC Records Control Schedule 01-01-01d Office
Administrative Files
User accounts are reviewed annually.
Administrative Controls:
Role-based, least privilege, account review, security plan,
contingency plan, and training.
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
Technical Controls:
Data is encrypted in transit. Data files are backed up. PII data is
publically available and does not require additional controls.
Physical Controls:
Physical controls include ID Badges, Key Cards, and Closed
Circuit TV (CCTV). The Platform is in a data center protected by
guards, gates, and surveillance at the entry point to the facility.
Access to the data center is limited to authorized personnel
Page 7 of 10
Save
39 Identify the publicly-available URL:
40 Does the website have a posted privacy notice?
https://www.cdc.gov/500Cities/
https://nccd.cdc.gov/DPH_ARDI/default/default.aspx
https://www.cdc.gov/art/artdata/index.html
https://nccd.cdc.gov/BRFSSStates/
https://nccd.cdc.gov/BRFSSPrevalence/rdPage.aspx
https://nccd.cdc.gov/weat
https://nccd.cdc.gov/dcpc_Programs
https://nccd.cdc.gov/DCPC_SCS
http://www.cdc.gov/cdi/
https://nccdintra.cdc.gov/CDMIS
https://nccd.cdc.gov/CKD/default.aspx
https://nccd.cdc.gov/CORIDOR/
https://nccd.cdc.gov/DCH_CHORC/
https://nccd.cdc.gov/CCCSearch/Default/Default.aspx
https://nccd.cdc.gov/Toolkit/DiabetesBurden
https://nccd.cdc.gov/Toolkit/DiabetesImpact
https://nccd.cdc.gov/DDT_DPRP
https://nccd.cdc.gov/GTSS/rdPage.aspx
http://nccd.cdc.gov/DPH_Aging
https://nccd.cdc.gov/DHDSP_DTM
https://www.cdc.gov/dhdsp/maps/atlas/index.htm
https://nccd.cdc.gov/MCRC/Index.aspx
https://nccd.cdc.gov/MillionHearts/Estimator/
https://nccd.cdc.gov/MillionHearts/protocol/
https://nccd.cdc.gov/DOH_MWF
https://nccd.cdc.gov/nccdsuccessstories/default.aspx
https://nccd.cdc.gov/dnpao_dtm/rdPage.aspx
https://www.cdc.gov/STATESystem/
https://www.cdc.gov/oralhealthdata/
https://nccd.cdc.gov/PECAT/
https://nccd.cdc.gov/PRCResearchProjects
https://nccd.cdc.gov/DASH_SHI
https://nccd.cdc.gov/SEALS/
https://nccd.cdc.gov/chmc
https://nccd.cdc.gov/DDT_VEHSS
https://nccd.cdc.gov/visionhealth/
https://nccd.cdc.gov/DOH_WFRS/default/Login.aspx
https://nccd.cdc.gov/WHRC
https://nccd.cdc.gov/DPH_WHSC/HealthScorecard/Home.aspx
Yes
No
40a
Is the privacy policy available in a machine-readable
format?
Yes
41
Does the website use web measurement and
customization technology?
Yes
No
No
Page 8 of 10
Save
Technologies
Yes
Web beacons
No
Yes
Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)
Collects PII?
No
Session Cookies
Persistent Cookies
Adobe Analytics
Other... Google
Analytics
42
Does the website have any information or pages
directed at children under the age of thirteen?
Yes
43
Does the website contain links to non- federal
government websites external to HHS?
Yes
Is a disclaimer notice provided to users that follow
43a external links to websites not owned or operated by
HHS?
Yes
Yes
No
Yes
No
Yes
No
No
No
No
Page 9 of 10
Save
The NCCDPHP Platform is part of a CDC-wide information technology (IT) realignment. This Platform
serves as a physical infrastructure that supports applications and services in support of the CDC mission.
As a result of the realignment, this tool supports the following child applications/systems, some of which
may collect personally identifiable information (PII):
General Comments
OPDIV Senior Official
for Privacy Signature
500 Cities
Alcohol Related Disease Impact
Assisted Reproductive Technology Success Rates
BRFSS Data Submission
BRFSS Open Data
BRFSS Web Enabled Analysis Tool
Cancer Program Contacts
Cancer Research Citation Search
Chronic Disease Indicators
Chronic Disease Management Information System
Chronic Kidney Disease Data Dissemination
Chronic Online Resource Inventory and Database: Organized and Readily Accessible
Community Health Media Center
Community Health Online Resource Center
Comprehensive Cancer Control Plans Search
Diabetes Burden and Impact Toolkits
DPRP Application Form and Registry
Global Tobacco Surveillance System Data
Healthy Aging Portfolio
Heart Disease and Stroke Prevention Data Trends and Maps
Interactive Atlas of Heart Disease and Stroke
Media Campaign Resource Center
Million Hearts
My Waters Fluoride
NCCDPHP Human Subjects Review Tracking System
NCCDPHP Success Stories Tool
Nutrition, Physical Activity and Obesity: Data, Trends and Maps
Office on Smoking and Health Data
Oral Health Data
Physical Education Curriculum Analysis Tool
Prevention Research Center Research Projects
School health Index
Sealant Efficiency Assessment for Locals and States
Vision and Eye Health Surveillance System (NEW, need signed PIA)
Vision Health Initiative: Data, Trends, and Maps
Water Fluoridation Reporting System
Workplace Health Resource Center
Worksite Health ScoreCard
Beverly E.
Walker -S
Digitally signed by
Beverly E. Walker -S
Date: 2018.10.05 15:46:54
-04'00'
Page 10 of 10
File Type | application/pdf |
File Modified | 2018-10-05 |
File Created | 2016-03-30 |