Pia

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-68550

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

P-1689558-402084

2a Name:

9/25/2018 2:20:45 PM

NCCDPHP Platform (NCCD Platform)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Implementation
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8b Planned Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Info Systems Security Officer

POC Name

Cindy Allen

POC Organization CDC/NCCDPHP
POC Email

[email protected]

POC Phone

770-488-5388
New
Existing
Yes
No
October 17, 2018
Not Applicable

Page 1 of 10

Save

11 Describe the purpose of the system.

Chronic diseases can be prevented by eating well, being
physically active, avoiding tobacco and excessive drinking, and
also getting regular health screenings. CDC’s National Center
for Chronic Disease Prevention and Health Promotion
(NCCDPHP) Platform provides a hosting environment for
access to data that helps people and communities prevent
chronic diseases and promotes health and wellness for all.
The NCCDPHP Platform supports:
1) public use data and information;
2) tools for program assessments and data analysis;
3) data visualizations; and
4) administrative tools.
The categories of data on the NCCDPHP Platform (NCCD
Platform) include data and information dissemination, data
collection, administrative, data analysis tools, program
assessment, and data visualization supporting chronic disease
prevention and health promotion.

The types of information contained in the Platform include:
--analyzed datasets
Describe the type of information the system will
--surveillance data
collect, maintain (store), or share. (Subsequent
--promotional materials
12
questions will identify if this information is PII and ask --tool and resources
about the specific data elements.)
--demographics
--health indicators
--contact information
--user credentials (user id, password)
--email address
--resource code
Active Directory (AD) is used for access control/authentication
of CDC users. AD is covered by a separate PIA.

Page 2 of 10

Save
NCCDPHP Platform provides a hosting environment for
applications that support the mission of the National Center
for Chronic Disease Prevention and Health Promotion
(NCCDPHP). The data maintained in the NCCD Platform
supports the planning, implementation, and evaluation of
state and national chronic disease prevention and health
promotion initiatives.

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

Data maintained on NCCDPHP Platform includes:
--health related risk data (i.e., tobacco or alcohol use, emerging
health topics)
--public use data sets, statistics, and information
--surveillance, prevalence, and trend data
--print or digital materials, advertisements, public service
announcements, media promotions
--chronic disease related training material and curriculum
--contact information for chronic disease related programs
--scientific citations of CDC publications
--resources to support chronic disease prevention and health
promotion (webinars, model policies, fact sheets, guides,
training materials, pamphlets, brochures); public health project
descriptions and evaluations
--surveillance data
--success stories of positive public health interventions
--chronic disease related training material and curriculum
--responses to program assessment questionnaires
--business contact information (organization name, point of
contact name, email, and telephone numbers)
--demographics of an organization or program (race/ethnic
group, age, gender, education level, size and location of
organization)
Active Directory (AD) is used for access control/authentication
of CDC users. AD is covered by a separate PIA.

14 Does the system collect, maintain, use or share PII?

Yes
No

Page 3 of 10

Save

15

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
User Name

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

500-4,999
PII is used to control system access.
--By providing an email address, users can retrieve their login
name or reset their password.
--A user's email address may be used to notify users about
changes.
--PII can be used by CDC to contact users.

20 Describe the function of the SSN.

N/A

20a Cite the legal authority to use the SSN.

N/A

21

Identify legal authorities governing information use
Public Health Service Act, (42 U.S.C. Chapter 6A)
and disclosure specific to the system and program.

22

Are records on the system retrieved by one or more
PII data elements?

Yes
No

Page 4 of 10

Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other

23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26

Is the submission of PII by individuals voluntary or
mandatory?

OMB No. 0920-18AAU (SEALS)
OMB No. 0920-1090, exp.12/31/2018
OMB No. 0920-0909, exp. 02/28/2021 (Diabetes Prevention
Recognition Program)
OMB No. 0920-1061, exp. 03/31/2021 (BRFSS)
Yes
No
There is no process in place because PII is not directly solicited
from individuals. In all cases, the PII has been provided directly
by an individual to establish a user account, when a user
requests information, or when provided by a CDC partner.
Voluntary
Mandatory

An individual takes affirmative action to allow the collection or
Describe the method for individuals to opt-out of the use of their PII. An individual’s PII cannot be collected unless
collection or use of their PII. If there is no option to
the individual provides the information.
27
object to the information collection, provide a
reason.
PII from CDC partners is based on a condition of the Notice of
Funding Opportunity
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
Users who provide their email address for access can be
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe contacted via email when major changes occur.
why they cannot be notified or have their consent
obtained.

Page 5 of 10

Save
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

Users can contact CDC directly to resolve any concerns. Each
website includes an email address for such contact. The email
would be routed to the appropriate program within NCCDPHP
to address the concerns.
Since the PII is provided by an individual, no processes are in
place to review the PII for integrity, availability, or accuracy. All
user accounts are reviewed annually for relevancy.
Users

external user: account management;
internal user (CDC): clarification from
external users for data submissions

Administrators
31

Identify who will have access to the PII in the system
and the reason why they require access.

Developers

internal users: for development and
troubleshooting; data updates;
account management

Contractors
Others
Users:
--Internal Users (CDC): CDC project staff or managers authorize
access that is limited to a need-to-know, role-dependent basis
Describe the procedures in place to determine which for staff assigned to a particular project or program.
--External Users: access their own individual information
32 system users (administrators, developers,
contractors, etc.) may access PII.
Developers: The program manager is responsible for ensuring
that personnel have controlled access only to what is relevant
to their specific work on the project. Developers are assigned
roles and responsibilities based on their role in a project.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

End user access to PII is granted based on role and function in
the workflows, and is granted at the lowest level needed to
perform a user's designated role in the workflow.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

CDC staff complete annual IT security and privacy awareness
training.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

None

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?

Yes
No

Page 6 of 10

Save

Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

User accounts and associated PII are removed when no longer
needed for access. The PII and user accounts are temporary
administrative records and not subject to long term records
retention.
CDC Records Control Schedule 01-01-01d Office
Administrative Files
User accounts are reviewed annually.
Administrative Controls:
Role-based, least privilege, account review, security plan,
contingency plan, and training.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Technical Controls:
Data is encrypted in transit. Data files are backed up. PII data is
publically available and does not require additional controls.
Physical Controls:
Physical controls include ID Badges, Key Cards, and Closed
Circuit TV (CCTV). The Platform is in a data center protected by
guards, gates, and surveillance at the entry point to the facility.
Access to the data center is limited to authorized personnel

Page 7 of 10

Save

39 Identify the publicly-available URL:

40 Does the website have a posted privacy notice?

https://www.cdc.gov/500Cities/
https://nccd.cdc.gov/DPH_ARDI/default/default.aspx
https://www.cdc.gov/art/artdata/index.html
https://nccd.cdc.gov/BRFSSStates/
https://nccd.cdc.gov/BRFSSPrevalence/rdPage.aspx
https://nccd.cdc.gov/weat
https://nccd.cdc.gov/dcpc_Programs
https://nccd.cdc.gov/DCPC_SCS
http://www.cdc.gov/cdi/
https://nccdintra.cdc.gov/CDMIS
https://nccd.cdc.gov/CKD/default.aspx
https://nccd.cdc.gov/CORIDOR/
https://nccd.cdc.gov/DCH_CHORC/
https://nccd.cdc.gov/CCCSearch/Default/Default.aspx
https://nccd.cdc.gov/Toolkit/DiabetesBurden
https://nccd.cdc.gov/Toolkit/DiabetesImpact
https://nccd.cdc.gov/DDT_DPRP
https://nccd.cdc.gov/GTSS/rdPage.aspx
http://nccd.cdc.gov/DPH_Aging
https://nccd.cdc.gov/DHDSP_DTM
https://www.cdc.gov/dhdsp/maps/atlas/index.htm
https://nccd.cdc.gov/MCRC/Index.aspx
https://nccd.cdc.gov/MillionHearts/Estimator/
https://nccd.cdc.gov/MillionHearts/protocol/
https://nccd.cdc.gov/DOH_MWF
https://nccd.cdc.gov/nccdsuccessstories/default.aspx
https://nccd.cdc.gov/dnpao_dtm/rdPage.aspx
https://www.cdc.gov/STATESystem/
https://www.cdc.gov/oralhealthdata/
https://nccd.cdc.gov/PECAT/
https://nccd.cdc.gov/PRCResearchProjects
https://nccd.cdc.gov/DASH_SHI
https://nccd.cdc.gov/SEALS/
https://nccd.cdc.gov/chmc
https://nccd.cdc.gov/DDT_VEHSS
https://nccd.cdc.gov/visionhealth/
https://nccd.cdc.gov/DOH_WFRS/default/Login.aspx
https://nccd.cdc.gov/WHRC
https://nccd.cdc.gov/DPH_WHSC/HealthScorecard/Home.aspx
Yes
No

40a

Is the privacy policy available in a machine-readable
format?

Yes

41

Does the website use web measurement and
customization technology?

Yes

No
No

Page 8 of 10

Save
Technologies

Yes

Web beacons

No
Yes

Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)

Collects PII?

No

Session Cookies
Persistent Cookies
Adobe Analytics
Other... Google
Analytics

42

Does the website have any information or pages
directed at children under the age of thirteen?

Yes

43

Does the website contain links to non- federal
government websites external to HHS?

Yes

Is a disclaimer notice provided to users that follow
43a external links to websites not owned or operated by
HHS?

Yes

Yes
No
Yes
No
Yes
No

No

No
No

Page 9 of 10

Save
The NCCDPHP Platform is part of a CDC-wide information technology (IT) realignment. This Platform
serves as a physical infrastructure that supports applications and services in support of the CDC mission.
As a result of the realignment, this tool supports the following child applications/systems, some of which
may collect personally identifiable information (PII):

General Comments

OPDIV Senior Official
for Privacy Signature

500 Cities
Alcohol Related Disease Impact
Assisted Reproductive Technology Success Rates
BRFSS Data Submission
BRFSS Open Data
BRFSS Web Enabled Analysis Tool
Cancer Program Contacts
Cancer Research Citation Search
Chronic Disease Indicators
Chronic Disease Management Information System
Chronic Kidney Disease Data Dissemination
Chronic Online Resource Inventory and Database: Organized and Readily Accessible
Community Health Media Center
Community Health Online Resource Center
Comprehensive Cancer Control Plans Search
Diabetes Burden and Impact Toolkits
DPRP Application Form and Registry
Global Tobacco Surveillance System Data
Healthy Aging Portfolio
Heart Disease and Stroke Prevention Data Trends and Maps
Interactive Atlas of Heart Disease and Stroke
Media Campaign Resource Center
Million Hearts
My Waters Fluoride
NCCDPHP Human Subjects Review Tracking System
NCCDPHP Success Stories Tool
Nutrition, Physical Activity and Obesity: Data, Trends and Maps
Office on Smoking and Health Data
Oral Health Data
Physical Education Curriculum Analysis Tool
Prevention Research Center Research Projects
School health Index
Sealant Efficiency Assessment for Locals and States
Vision and Eye Health Surveillance System (NEW, need signed PIA)
Vision Health Initiative: Data, Trends, and Maps
Water Fluoridation Reporting System
Workplace Health Resource Center
Worksite Health ScoreCard

Beverly E.
Walker -S

Digitally signed by
Beverly E. Walker -S
Date: 2018.10.05 15:46:54
-04'00'

Page 10 of 10