Download:
pdf |
pdfRTAC Website/RTAC Partner Pool Application Portal: Privacy
Impact Assessment (PIA)
Third-Party Website or Application URL: www.rtachesn.org
UNITED STATES AGENCY FOR INTERNATIONAL DEVELOPMENT
USAID Privacy Program
RTAC Website/Partner Pool Application Portal
Approved Date: [04/24/2019]
Additional Privacy Compliance Documentation Required:
☐ None
☐ Redirection Language
☐ USAID Websites Privacy Policy
☐ System of Records Notice (SORN)
☐ Role-Based Privacy Training Confirmation
☐ USAID Forms Management (ADS 505) ☐ Privacy Act (e)(3) Statement or Notice (PA Notice)
☒ Approved Records Schedule (ADS 502)
☐ Privacy Protection Language in Contracts and Other Acquisition-Related Documents
☐ Information Collection Request (ICR). ADS 505, ADS 506, and ADS 508 Privacy Program
Forms or Documents attached for Privacy Lead Review:
(All documents below that exist MUST be included in the PIA Packet)
☐ None
☐ Form(s)
☒ Contract(s)
☐ MOU(s)
☐ ISA(s)
☐ Retention Schedule
☐ Survey(s)
☐ Cloud Provider Contract
☐ Role-Based Training Certification
☐ MOA(s)
☒ Website URL
Place Details for the Above Selected items Here:
Website URL: rtachesn.org is the parent site (approved by the USAID Web Governance Board 11/20/2018). The RTAC website
will hyperlink to the RTAC Partner Portal Application which will be housed at: https:apply.iie.org/usaidrtac (not yet live).
Comments or Explanation of Additional Compliance Documentation Required:
www.rtachesn.org and https:apply.iie.org/usaidrtac.
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
Contact Information and Approval Signatures
Third Party Website PIA
ii
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
Table of Contents
1
Introduction ............................................................................................................................................. 1
2
General Information ............................................................................................................................. 2
2.1 Sponsoring Program............................................................................................................ 2
2.2 Website Purpose, Management, Contracts and Legal Compliance.................................... 5
2.3 Website Description............................................................................................................ 8
3
Availability, Source and Use of PII ............................................................................................... 10
3.1 Types of PII ........................................................................................................................ 10
3.2 Intended Use of PII............................................................................................................ 13
3.3 Sharing and Disclosure of PII............................................................................................. 15
3.4 Maintenance and Retention of PII .................................................................................... 17
3.5 Securing PII........................................................................................................................ 18
4
Identification and Mitigation of Other Privacy Risks .......................................................... 20
4.1 Other Privacy Risks............................................................................................................ 20
5
Creation or Modification of a System of Records .................................................................. 22
5.1 SORNs................................................................................................................................ 22
Third Party Website PIA
iii
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
1 Introduction
Review the Websites and Applications Program Standard Operating Procedure (SOP) before completing
this form. Many of the questions stem from OMB requirements discussed in that SOP. That SOP
discusses how various factors may positively or negatively drive the risk associated with USAID’s use of
such third-party websites. Consider a high level risk mitigation strategy as discussed in that SOP.
The USAID Privacy Program uses the Third-Party Website Privacy Impact Assessment (PIA) Template to
gather information from Program Managers (PM) and Website/System Owners (SOs) in order to analyze
if the third-party website makes Personally Identifiable Information (PII) available to USAID or whether
the agency actually collects, uses, maintains, or disseminates PII. This document helps to determine the
Privacy Risks that USAID’s participation with the website may pose. See ADS 508 Privacy Program
Section 503.3.5.2 Privacy Impact Assessments.
The PIA process should accomplish two goals:
1. Determine what PII is likely to be made available to USAID and/or the public, though the thirdparty website and the privacy risks and effects of collecting, using, maintaining, and
disseminating PII; and
2. Evaluate and enforce protections and alternative processes for handling PII to reduce potential
privacy risks to acceptable levels.
Type Not Applicable in the answer boxes for those questions that do not apply to your website/system
and explain why the question is not applicable. If you have questions or would like assistance with this
PIA Template, the PIA process, or other privacy compliance requirements, please contact the USAID
Privacy Program at [email protected].
Third Party Website PIA
1
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2 General Information
2.1 Sponsoring Program
2.1.1 Describe the USAID program this website directly supports.
This Research Technical Assistance Center (RTAC) Website (housed at www.rtachesn.org) supports the
USAID Global Development Lab Center for Development Research (LAB/CDR) Research Technical
Assistance Center (RTAC). RTAC is one of the three signature programs under USAID’s Higher Education
Solutions Network (HESN 2.0) portfolio of programs. The principal goal of RTAC is to establish, maintain,
and utilize a diverse network of university-based research experts (the RTAC Partner Pool) who can be
available to fill USAID’s needs on an on-demand basis. The RTAC research network is required to
demonstrate regional, technical, and demographic diversity and has targeted participation goals for
female researchers, researchers from minority serving institutions (MSIs), and researchers from
developing countries.
The RTAC Website provides information to potential researchers on USAID research activities and
previous projects. It will also offer interested parties an opportunity to “apply” to be included in the
RTAC Partner Pool (a pool of researchers that USAID can than call on to apply to unique project
requirements for research over the next five years). To “apply” to be included in the RTAC Partner Pool,
interested parties will click on a button labeled “Apply to Join the RTAC Network Here” that will be
visible in the top corner of the www.rtachesn.org website. Once they click on that button, it will take
users from the www.rtachesn.org third party website to another third party website/application portal
located at: https:apply.iie.org/usaidrtac. At that site they will be invited to complete the application
questions that are available in the “2018.09.12_RTAC Application to Partner Pool_Proposed Questions”
Microsoft Word document (attached to this document as an appendix).
2.1.2 What is the name and purpose of the USAID program?
The name of the program is the Research Technical Assistance Center (RTAC). RTAC was solicited after
almost two years of internal and external consultations around the next round of programming to occur
under USAID’s HESN portfolio. Based on the feedback from those consultations, RTAC was envisioned,
and aims to provide, a “network” of university-based researchers that can be available to USAID
Missions and Operating Units (M/B/IOs) on a quick turn-around basis to access high level technical
expertise. Specifically, M/B/IOs from across the Agency will reach out to RTAC, and their network of
university-based researchers (RTAC Partner Pool) to identify specific technical or regional universitybased experts to fulfill USAID’s research needs. RTAC is responsible for soliciting, maintaining, and
utilizing this diverse network or researchers (RTAC Partner Pool) to facilitate fulfillment of the specific
research-based requirements identified by M/B/IOs over the next five years. The purpose is to provide
USAID access to quick, evidence-based data and research to help inform our programming.
Third Party Website PIA
2
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.1.3 How does the program support a USAID business function?
RTAC, through its RTAC website and RTAC Partner Portal, will directly support a key USAID business
function. Specifically, RTAC provides rapid research-based technical assistance that facilitates USAID’s
capability to make quick, evidence-based programming decisions by leveraging the technical and
research expertise of the Higher Education community. Envisioned activities include: creation of
evidence-to action policy briefs, technical reports, strategic research agenda and research activity
consultations, coordination of university-based researchers for experts panels or convening, sectorfocused training, and other short-term technical assistance.
RTAC is currently comprised of a network of over 250 researchers from over 30 countries (43% lowermiddle income (LMIC), 16% MSI, and with 46% female researchers). The existing Partner Pool
researchers (solicited by National Opinion Research Center (NORC)), at the University of Chicago during
the Request for Proposal stage) will be added to the RTAC Partner Portal database once it is approved.
In addition, new applicants will be able to apply to join the RTAC Partner Pool by selecting the “Apply to
Join the RTAC Network Here” button; it will hyperlink to the Application Portal site which will be at:
https:apply.iie.org/usaidrtac. Once they complete the RTAC Partner Pool Portal application questions
(see appendix), their information will also be added to the RTAC Partner Pool database, maintained by
the RTAC contractors.
The information inside the RTAC Partner Pool database will support USAID’s business function
(evidence-based decision-making) because it will provide USAID with access to researchers who have
the unique capacities and expertise needed to fulfill USAID’s evolving research needs.
A restricted number of USAID staff (less than five) will have password-protected access to the
information via a third-party website. The third-party houses, stores, and secures all the data (the
database is never envisioned to be housed on USAID’s website directly). USAID envisions searching for
partner pool members in the third-party database by subject or geographic area expertise. Searches by
unique identifiers will not be required to support the business function.
2.1.4 Is the website or any content posted by or on behalf of USAID on this website
associated with a grant, contract, or cooperative agreement?
Yes. The entire website is funded, developed, and supported under the Research Technical Assistance
Center (RTAC) Contract as follows:
Prime Contractor: National Opinion Research Center (NORC), at the University of Chicago
Contract Number: 7200AA18C00057
NORC is the Prime Contractor selected by USAID to implement the RTAC contract. They have a variety of
subcontractors underneath their contract. The primary contributing subcontractors for the website and
Researcher Partner Pool Portal are Forum One, Institute of International Education (IIE), and the
Population Reference Bureau (PRB).
Third Party Website PIA
3
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.1.5 Will non-USAID organizations be associated with the website? If so, please list
the partners.
Yes. For implementation of RTAC, NORC, at the University of Chicago, currently has subcontracts with
Arizona State University, Centro de Investigación de la Universidad del Pacifico (Lima, Peru), Davis
Management Group, the DevLab@Duke University, Forum One, Institute of International Education (IIE),
Notre Dame Initiative for Global Development, Population Reference Bureau (PRB), Resilient Africa
Network at Makerere University (RAN) (Kampala, Uganda), United Negro College Fund, University of
Chicago, and University of Illinois at Chicago. Each of these subcontractors will be working with their
colleagues and contacts to support their respective researchers’ applications to apply to be included in
the RTAC Partner Pool.
2.1.6 Will the website be co-sponsored or managed by other federal agencies or
governments? If so, please list the other federal agencies or governments.
No. At this time, there is no plan to have the website co-sponsored or managed by another federal
agency.
Third Party Website PIA
4
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.2 Website Purpose, Management, Contracts and Legal Compliance
2.2.1 What is the strategic purpose of the website?
☒ Public interaction and open government outreach. Indicate below if this involves surveys, contests or
message boards that provide a forum for the public to comment.
☒ Recruitment and employee outreach. Indicate below the broad scope of information collected from
current employees and applicants on the website.
☐ Participation in agency programs and systems. Indicate below the broad scope of information
collected on the website and the extent of any risk that the PII from this website may be combined,
matched or otherwise used in concert with other PII maintained by USAID.
☒ Other (describe below)
The website will provide the general public information about the project and will offer researchers an
opportunity to apply to join the RTAC Research Partner Pool. If they are accepted into the pool they will
potentially (depending on demand) have access to USAID research proposal opportunities in the portal.
The website is not currently planned to include other general surveys for the public. The public can sign
up for emails, but is not currently envisioned to have an opportunity to post any comment within the
website. Emails are not stored by the site, but alternatively in PRB’s MailChimp service (for email alerts
to the general public) or on IIE’s Slate system (for researchers joining the research pool).
Only PRB-designated staff will have access to the MailChimp service. Only IIE- and NORC-designated
staff will have access to the Slate application. USAID will not receive personal email addresses from the
researchers in the pool or from persons receiving email alerts.
2.2.2 Who is the audience for USAID’s use of this website?
The website will have several audiences:
1) The first audience is potential new researchers who are interested in joining the RTAC Partner Pool.
We envision that they will visit the website to submit an application to be considered to join the RTAC
Partner Pool.
2) USAID itself is also an audience for the website. The website is envisioned to highlight key RTAC
research success stories and examples of how RTAC can help other Missions and Operating Units
accomplish their research and programming objectives.
3) The next audience is researchers, implementing partners, and the general public who will use the
website to gain tools and knowledge on how to incorporate research for development into their work,
and who are interested in learning about research-related opportunities with RTAC as well as recent
success stories from a USAID-funded program
Third Party Website PIA
5
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.2.3 Describe USAID’s responsibilities for managing this website.
Check all that apply:
☒ USAID provides content limited to the specific pages associated with the agency. If USAID provides
content for use elsewhere on the site, check “Other management activities” and describe below.
☐ USAID does not manage user accounts or directly provide user access privileges for anyone to access
the site or any pages on the site, including pages associated with the agency. Describe below any user
account management capabilities provided by the website that will remain unused by USAID. Accounts
given privileged access to manage USAID content or the display of that content on this website should
not be considered a “user account” or to provide any “user access privilege” for the purpose of this
question. If USAID engages in other account management activity, check “Other management
activities,” and describe below.
☒ Other management activities. Please describe below.
USAID will help provide content for success stories where appropriate, and will provide guidance on
additions to the website.
2.2.4 Is there a contract in place to develop the website or any USAID content for
this website?
Yes. The entire website is funded, developed, and supported under the Research Technical Assistance
Center (RTAC) Contract as follows:
Prime Contractor: National Opinion Research Center (NORC), at the University of Chicago
Contract Number: 7200AA18C00057
The primary contributing subcontractors for the website and Researcher Partner Pool Portal are Forum
One, Institute of International Education (IIE), and the Population Reference Bureau (PRB).
2.2.5 Is there a contract in place for the management of any USAID activities or
responsibilities respecting this website?
Yes. The management of the website is supported by the Research Technical Assistance Center (RTAC)
Contract as follows:
Prime Contractor: National Opinion Research Center (NORC), at the University of Chicago
Contract Number: 7200AA18C00057
The primary contributing subcontractors for the website and Researcher Partner Pool Portal are Forum
One, Institute of International Education (IIE), and Population Reference Bureau (PRB).
Third Party Website PIA
6
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.2.6 Is USAID’s use of the third party website or application consistent with all
applicable laws, regulations and policies?
Check all that apply:
Paperwork Reduction Act (PRA):
☐ USAID’s activities on this website that engage the public are considered the equivalent of a public
meeting exempt from the PRA.
☐ USAID does not use any surveys or ask particular questions or requests for information from website
visitors.
☐ USAID’s activities on this website are exempt from the PRA on another basis described below.
☐ USAID secured OMB’s review and approval of all requests for information under the PRA. The OMB
control numbers are provided below.
☒ Additional Information below
The USAID Office of the General Counsel has reviewed the questions and has determined that the
questions posed in the proposed RTAC Application Partner Pool questionnaire (attached) are consistent
with previously reviewed OMB survey questions (have received OMB review and approval.)
OMB control numbers:
0412-0520
0142-0585
AID Forms:
1380-1
1380-69
In addition, the Global Development Lab (LAB) is working with M/MS/IRD to submit the RTAC Partner
Portal Application form through the formal OMB review and approval process on the Federal Register.
The Federal Register notice requesting public comment under the Paperwork Reduction Act was
published on 03/15/2019.
Federal Records Act:
☐ USAID’s activities on this website will not generate Federal Records.
☐ The website sponsor coordinated a Federal records management plan with M/MS/IRD to include a
Records Retention Policy approved by M/MS/IRD.
☐ The Records Retention Policy minimizes the PII retention timeline as much as possible. A copy of the
policy is attached.
☒ The website sponsor is in communication with M/MS/IRD regarding next steps in the process.
Anti-Deficiency Act:
☒ The Terms of Service for the website were reviewed by the Office of General Counsel (OGC), as
required by OMB-13-10, to determine whether any open-ended indemnification clauses might violate
the Anti-Deficiency Act.
☐ OGC review is not required for the reasons provided below.
OGC has reviewed the Terms of Service for the web site and has determined that the IIE Terms &
Conditions do not apply to USAID. The IIE Terms & Conditions apply only to IIE and the individual
Third Party Website PIA
7
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.2.6 Is USAID’s use of the third party website or application consistent with all
applicable laws, regulations and policies?
applicants who submit information to the web site.
Website Measurement and Customization Tools (OMB M-10-22)
☒ USAID does not make use of any Website Measurement and Customization Tools on this website.
☐ No third party will make use of such tools on this website on USAID’s behalf.
☐ No PII, nor any information that could be used to identify any individual, derived from the use of such
tools on this website, is shared with USAID.
☐ As described in response to Question 4.1.6, USAID provides website visitors equivalent alternate
means to obtain access to USAID information and services without utilizing third party websites.
☐ Any use of Website Measurement and Customization Tools on this website by or on behalf of USAID
is described below.
☐ Tier Level and compliance measures are described below.
☐ Additional Information below
2.3 Website Description
2.3.1 What is the URL for the existing website, or proposed URL for the new
website?
The parent website is www.rtachesn.org (approved by USAID’s Web Governance board on
11/20/2018).
If a researcher is interested in applying to join the RTAC Partner Pool they will visit the RTAC
website and click on a “Apply to Join the RTAC Network Here” button and it will hyperlink to the
Application Portal site which will be housed at: https:apply.iie.org/usaidrtac (not yet live).
2.3.2 What is the website status?
Check all that apply.
☐ New Website Development or Procurement
☐ Pilot Project for New System Development or Procurement; Anticipated Launch Date:
☒ Existing Website Being Updated
☐ Contains Existing Web Data Collection Form or Survey
☒ Contains New Web Data Collection Form or Survey in process of approval)
☐ Request for Dataset to be published on an External Website
☐ Linked to .gov website (List .gov website to/from which this site is linked)
☐ Microsite
☐ Other:
The parent website (rtachesn.org) is live. The RTAC Partner Pool Portal link (which will
Third Party Website PIA
8
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
2.3.2 What is the website status?
ultimately be accessible via a button labeled “Apply to Join the RTAC Network Here” on the
parent site) is not yet live as it is awaiting approval from M/MS/IRD and the Privacy Office. The
link will ultimately be housed at: https:apply.iie.org/usaidrtac.
Detailed Status Update:
The LAB consulted with USAID/M/CIO/IT Service Delivery in July 2017 (prior to finalization and
release of the RFP to solicit these services) and received approval to move forward with our
planned RTAC procurement, to include development of an RTAC website, as well as a
recommendation that we also consult with the Legislative and Public Affairs (LPA) Website
Governance Board.
Accordingly, we submitted a request to procure an external website via the anticipated RTAC contract
through the LPA Website Governance Board process. We received notice that our “external websites
have been approved by the Website Governance Board for development” in September 2017. Our RFP
went live in Winter 2017 and the technical review and selection process took place in spring 2018.
The Contract was awarded to NORC, at the University of Chicago on July 11, 2018. They, and their
subcontractors Forum One (website lead) and IIE (application portal lead), began work on the website
almost immediately. The RTAC parent website received approval of the USAID Web governance board
on 11/20/2018.
The current version of the website does NOT include an active link to “Apply to Join the RTAC Network
Here” button. However, the intent has always been to post an “Apply to Join the RTAC Network Here”
button on the website once approval was received from IRD and the Privacy Office. Attached is the list
of questions that will be asked via the “Apply to the RTAC Network Here”” portal. We are now seeking
permission to have the contractor proceed to imbed the questions/form in the “Apply to Join the RTAC
Network Here” button on the website. The “Apply to Join the RTAC Network Here” button is not yet
live on the website because we are in the process of requesting IRD and Privacy Office approval.
2.3.3 Do you use any data collection forms or surveys?
☐ No.
☐ Yes; contains existing web data collection form or survey (please provide a copy to the Privacy
Program for Privacy’s records)
☒ Yes; contains new web data collection form or survey (in process of approval)
2.3.4 Has M/MS/IRD approved the Forms or Surveys listed above?
☐ N/A
☐ Yes.
☒ No.
We are currently working with M/MS/IRD POC to obtain approval. The Federal Register notice
requesting comments on this process under the Paperwork Reduction Act was published on
03/15/2019.
Third Party Website PIA
9
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3 Availability, Source and Use of PII
3.1 Types of PII
3.1.1 What types of personal information do you collect, use, maintain, or
disseminate?
Check all that apply. If you choose Other, please list the additional types of PII.
☐ None. (Note: Collection of a USAID workforce member’s name, work email address, and work
telephone number is a collection of PII.)
☒ Name, Former Name, or Alias
☒ Work Phone Number
☐ Mother’s Maiden Name
☐ Social Security Number or Truncated SSN
☐ Date of Birth
☐ Place of Birth
☐ Home Address
☐ Age
☒ Work E-Mail Address
☐ Employee Number or Other Employee Identifier
☐ Employment or Salary Record
☐ Security Clearance
☐ Criminal Record
☒ Sex or Gender
☒ Home Phone Number
☒ Personal Cell Phone Number
☐ Military Record
☐ Financial Record
☒ Personal E-Mail Address
☒ Education Record
☐ Driver’s License Number
☐ Passport Number or Green Card Number
☐ Medical Record
☐ Marital status or Family Information
☐ Race or Ethnicity
☐ Credit Card Number or Other Financial Account
Number
☐ Bank Account Number
☐ Other Physical Characteristic (eye color, hair
color, height, tattoo)
☐ Biometric Record (signature, fingerprint,
photograph, voice print, physical movement, DNA
marker, retinal scan, etc.)
☒ Other: Technical sectors of expertise
☒ Other: Geographic areas of expertise
☒ Other: Institutional affiliation
☐ Other:
☐ Tax Identification Number
☐ Citizenship
☐ Patient Identification Number
☐ Sexual Orientation
☐ Religion
Third Party Website PIA
10
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.1.2 What types of digital or mobile data do you collect, use, maintain, or
disseminate?
Check all that apply. If you choose Other, please list the types of data.
☐ None.
☒ User Names
☒ Log Data (IP address, time, date, referrer site,
☒ Passwords
browser)
☐ Tracking Data (single or multi-session cookies,
☒ Form Data
beacons)
☐ Location or GPS Data
☐ Other Hardware or Software Controls
☐ On/Off Status and Controls
☐ Cell Tower Records (logs, user location, time,
date)
☐ Data Collected by Apps (itemize)
☐ Network Status
☐ Network Communications Data
☐ Device Settings or Preferences (security,
sharing, status)
☐ SD Card or Other Stored Data
☐ Photo Data
☐ Unique Device Identifier
☐ Audio or Sound Data
☐ Camera Controls (photo, video,
videoconference)
☐ Microphone Controls
☐ Other Device Sensor Controls or Data
☐ Contact List and Directories
☐ Biometric Data or Related Data
☐ Other:
3.1.3 About what types of people do you collect, use, maintain, or disseminate
personal information?
Check all that apply. If you choose Other, please list the types of people.
☒ Citizens of the United States
☒ Aliens lawfully admitted to the United States for permanent residence
☐ USAID Direct Hires and USAID Personal Services Contractors
☒ Institutional Contractors and/or Services Providers
☒ Aliens not admitted for permanent residence
Third Party Website PIA
11
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.1.4 What PII is likely to be made available to USAID, beyond what is collected?
(Note: Under OMB Memorandum M-10-23, USAID must identify the PII likely to
be made available through third party websites and applications.) Making PII
available occurs when PII becomes available to USAID regardless of whether
the agency intentionally solicits or collects it. It is not necessary to include in
this response the information actually collected by USAID and disclosed under
3.1.1 and 3.1.2, above.
If you choose Other, please provide a response.
☐ PII might be disclosed/made public by site visitors without restriction as they post/upload comments
and other materials. Indicate below whether site registration is required for postings and uploads.
☐ USAID may have access to the site’s registration information for the user. If this applies, indicate
below whether users have any options to limit the scope of account registration information or what
portions are made available to USAID. Please identify the specific relevant information likely to be made
available to USAID.
☐ PII can be uploaded, made public, or disclosed to third parties when users associate themselves with
a site or page. This can occur though “friending”, “following”, “liking”, joining a group, becoming a “fan”
and similar activities.
No PII, beyond what is collected, is expected to be made available to USAID. The only information USAID
will have access to is the information disclosed above and outlined in the attached appendix. Our
contractors have restricted the RTAC Partner Pool Application Portal form such that no additional PII
may be voluntarily shared by applicants, beyond what has been requested.
3.1.5 What are the sources of PII made available to USAID from this website?
If you choose Other, please provide a response.
☒ Information disclosed by site visitors as they post/upload comments and other materials. This will be
the information voluntarily provided by individuals who register within the partner pool.
☐ USAID access to the site’s registration information for the user.
☐ Information disclosed as users associate themselves with a site or page. (i.e., “friending”,
“following”, “liking”, joining a group, becoming a “fan” and similar activities.)
☒ Other: We have revised the form so no additional PII information can be made available by applicants
to the RTAC Partner Pool.
We are not going to retrieve the information by personal unique identifier. The sources of PII made
available to USAID from this website will be consistent with the items found above in Sections 3.1.1 and
3.1.2.
Primarily, USAID will have access to this information via password-protected access to the RTAC Partner
Pool database. A restricted number of USAID staff (less than five) will have password-protected access
to the information via the third-party website. The third-party houses, stores, and secures all the data
(the database is never envisioned to be housed on USAID’s website directly). USAID envisions searching
Third Party Website PIA
12
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.1.5 What are the sources of PII made available to USAID from this website?
for partner pool members in the third-party database by subject or geographic area expertise. Unique
identifiers will not be used to search for information.
In addition to password-protected access to the third-party database, RTAC will make available to USAID
(as needed) lists/rosters of the key summative information of the expertise in the database. The roster
(either PDF and/or Excel format) would include only the key PII needed to enable USAID to determine if
the RTAC Partner Pool contains the necessary expertise to fulfill a new research requirement.
Specifically, it is envisioned to include: Institutional affiliation, name, technical sector of expertise, and
geographic sector of expertise. (NOTE: Almost all of this information is already publicly available for
university-based researchers. However, having it one aggregated list makes it easier for USAID M/B/IOs
to quickly determine if the RTAC Partner Pool has the expertise they need to complete any new
requirements that may develop.)
The rosters will only be provided to relevant USAID staff on a “need to know” basis and will be marked
“SBU” and, once received, will be stored in limited access folders on the USAID network. The rosters will
not include contact information for the researchers.
Researchers will provide consent to share this information with both RTAC and USAID as a part of
completing their application to the RTAC Partner Pool.
☐ If the response to Question 3.1.1 indicates that no PII is collected, used, maintained or disseminated,
click here and skip to Section 4.1.
3.2 Intended Use of PII
3.2.1 How will USAID use the PII described above?
USAID will use the PII to determine if the contracted RTAC Partner Pool has the requisite expertise
needed to successfully complete new research projects identified by various M/B/IOs across the Agency.
The purpose of the RTAC Partner Pool Portal Application is to enable RTAC (NORC, third party contractor
and its subcontractors) to solicit and collect information from researchers who may be interested in
performing research on behalf of USAID so that USAID can make this determination. RTAC will be
responsible for providing USAID regularly with a general overview of the expertise available in the RTAC
research network members so interested staff at M/B/IOs who might be looking for specific geographic
and technical sector expertise can determine if the RTAC Partner Pool has adequate expertise to
respond to new needs as they are identified. This information will be provided to the Global
Development Lab’s Center for Development Research (LAB/CDR) RTAC contract management team and
will likely include charts showing the percentage of researchers in the partner pool from each region and
technical area in which USAID works. No PII will be included in those summaries.
When an M/B/IO approaches CDR with an inquiry about expertise available in the RTAC Partner Pool,
CDR will generally provide names of universities within the network, technical expertise, and geographic
expertise to interested USAID parties (minus researcher names).
If rosters of specific names and university affiliations (not addresses) of specific researchers are shared
Third Party Website PIA
13
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.2.1 How will USAID use the PII described above?
via a spreadsheet or PDF with USAID colleagues interested in working with the RTAC Partner Pool,
(because they need more specifics to determine if appropriately experienced individuals are currently in
the RTAC Partner Pool and therefore eligible to apply for potential work), it will be appropriately
password protected before being shared via an SBU email (as noted above). Only those with a
legitimate “need to know” will have access to a roster that includes any PII, and the only PII that would
be included in the roster is: institutional affiliation, name, technical sector of expertise, and geographic
sector of expertise.
Similarly, the five USAID LAB/CDR colleagues who have password-protected access to the third-party
housed RTAC Partner Pool Database would only access the PII inside the database on an as-needed basis
and no unique identifiers would be used.
3.2.2 Provide specific examples of uses for the PII.
The PII will be used in several ways by USAID:
1) The PII that will be included in the RTAC Partner Pool Portal database will contain information critical
to supporting the monitoring and evaluation efforts and indicator tracking required for RTAC.
Specifically, the PII will be used by RTAC to help RTAC calculate whether or not they are meeting their
targets for key indicators under the Contract (i.e. number of male versus female registrants, number of
registrants associated with a minority serving institutions number of registrants of low- and middleincome countries, etc.). The information, however, will only be reported to USAID in aggregate as a part
of the bi-annual reporting process.
2) As noted above, several specific pieces of the PII (specifically Institutional affiliation, Name, technical
sector of expertise, and geographic sector of expertise) will be used to help USAID determine if the RTAC
Partner Pool Portal contains the expertise needed to help USAID complete new and upcoming research
activities for the Agency.
For example, if an M/B/IO comes to the LAB/CDR with a need for research expertise in sub-Saharan
Africa, the LAB/CDR could ask the RTAC team to send an appropriately protected list/roster that listed
the names, institutional affiliations, and geographic areas of expertise for all of their researchers in subSaharan Africa. Looking at the breadth and depth of that list would enable the M/B/IO to determine if
there was specific capacity within the existing RTAC Partner Pool to fulfill their new research
requirement, or if additional researchers would need to be recruited to complete the envisioned work.
3) Conversely, when an M/B/IO presents the LAB/CDR with a new project need/requirement, NORC (the
RTAC Contractor) will use the contact information (email addresses) available in the RTAC Partner Pool
to email information about the new USAID project opportunity out to Partner Pool members so that
they could consider applying for the opportunity or providing an expression of interest to USAID.
4) Once interested researchers in the Partner Pool (typically 1-5 researchers per solicitation) choose to
“apply” for new USAID opportunities, those individuals’ names, proposals, resumes, and contact
information will be shared with USAID so that USAID can participate in the research selection process (if
Third Party Website PIA
14
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.2.2 Provide specific examples of uses for the PII.
desired). Essentially, this function is like that of a job application review. Once a specific
researcher/research team has been selected for the new requirement, the USAID M/B/IO who will be
funding the activity will be provided access to that researcher/research team’s contact information (e.g.,
name, university, email, and phone number) so that they can complete the work together as official
subcontractors under the RTAC Contract.
5) As another example of how the PII may be used by RTAC, or the purposes of buy-in coordination,
NORC (our third-party contractor) might link together a group of RTAC Partner Pool members for a
potential joint activity. The RTAC Research Director would make those links/introductions, if
needed/applicable. USAID would not be given the email addresses or contact information to facilitate
these introductions and it is not envisioned that USAID would ever receive the email addresses and
contact information for specific partner pool members until after a research project team has submitted
a specific proposal for a USAID requirement. (NOTE: Applicants to the RTAC Partner Pool are asked to
indicate whether or not they want their information shared in this way with other RTAC Partner Pool
members, or no. Only those who have provided consent would be considered for this type of
introduction.)
NOTE: NORC, as well as all of the subcontractors supporting the RTAC Contract, have appropriate
nondisclosure/confidentiality agreements in place for this contract as a further protection for all
information covered by the contract.
3.3 Sharing and Disclosure of PII
3.3.1 Will the PII be shared with any people or entities within USAID?
Once interested parties in the RTAC Partner Pool (typically 1-5 per solicitation) choose to “apply” for
new opportunities, it is envisioned that those individuals’ names, proposals, and resumes will be shared
by RTAC with USAID/LAB/CDR and the USAID M/B/IO requesting the research activity so that USAID can
participate in the researcher selection process. Once a specific researcher/research team has been
selected, the USAID M/B/IO who will be funding the activity will have access to that researcher/research
team’s contact information (name, university, email, and phone number).
3.3.2 Will the PII be shared with any people or entities outside of USAID?
RTAC (NORC and its approved subcontractors) will not share the partner pool database with anyone
outside of USAID or its existing network of RTAC subcontractors. NORC, and all of its approved
subcontractors, have nondisclosure/confidentiality agreements in their contracts that prohibit them
from sharing this information beyond RTAC or USAID.
As noted above, for the purposes of buy-in coordination, a group of RTAC Partner Pool members may be
linked to each other (by NORC) for consideration of a potential joint activity. The RTAC Research
Director would make those links/introductions, if needed/applicable, and only after receiving consent
from both parties.
Third Party Website PIA
15
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.3.3 What safeguards will be in place to prevent uses beyond those authorized
under law and described in this PIA?
Please view IIE’s Privacy Policy here: https://www.iie.org/en/Learn/Privacy-Policy.
Third Party Website PIA
16
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.4 Maintenance and Retention of PII
3.4.1 How will the agency maintain the PII?
The vast majority of the PII collected under this contract will be maintained by USAID’s third-party
contractors offsite.
The portions of the PII that will be received by USAID via PDF or Excel sheets (limited to lists/rosters of
researchers/universities as noted above) and individual resumes for selected researchers/research
teams, etc., will be maintained in “Limited Access” folders (with appropriate privacy restrictions) and will
only be shared with other USAID colleagues on a need to know basis. When shared, the data will be
marked SBU. None of the PII maintained by USAID will be searched using unique identifiers; rather it
will just include lists of information as noted above.
3.4.2 How long will the agency maintain the PII?
The LAB/CDR reached out to the POC in M/MS/IRD; we are currently working with M/MS/IRD to develop
a retention policy.
3.4.3 Was the retention period established within USAID’s Information and Records
Division (M/MS/IRD)?
The LAB/CDR reached out to POC in M/MS/IRD; we are currently working with M/MS/IRD.
Third Party Website PIA
17
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.5 Securing PII
3.5.1 Did you review the privacy policy of the third party website and/or
application to ensure that it appropriately supports USAID’s privacy
protection position?
Yes.
The IIE Terms and Conditions can be viewed here: https://www.iie.org/en/Learn/Terms-and-Conditions
and the Privacy Policy here: https://www.iie.org/en/Learn/Privacy-Policy.
3.5.2 How will PII obtained from this website be secured?
IIE’s online application system (Slate) is in a hosted model managed by our third-party vendor,
Technolutions. All application data including PII will be stored in an encrypted database which is
centrally administered and housed on secured enterprise grade servers. All data is stored in secure,
modern datacenters, through the use of the Amazon Web Services (AWS) cloud. Production services are
hosted in the U.S. east 1 region in Northern Virginia, with services duplicated across two availability
zones. The database will never be housed on the USAID website or USAID server.
The database will run with full transaction logging. Transaction logs are backed up every 3 hours and are
held for at least 60 days, providing point-in-time restores for that duration.
Full backups are taken weekly and are held for at least 60 days. The outside duration of the Recovery
Point Objective is 3 hours, and the outside duration of the Recovery Time Objective is 12 hours (the RTO
for most issues would be measured in seconds), the us-east-1 region, with near real-time replication to
the us-west-2 region.
Access to the database requires userid/password authentication.
Document stores are versioned and all versions are automatically replicated throughout depending
upon the severity of the issue.
3.5.3 Indicate how PII will be encrypted, both as data in motion and data at rest.
All application data is encrypted in transit and at rest. All requests to the application platform are
routed over HTTPS with a minimum grade of 128-bits enforced. Requests over HTTP are redirected to
HTTPS.
HTTP Strict Transport Security headers set to prevent against HTTPS downgrade attacks.
Only secure versions of TLS are supported and all versions of SSL are disabled.
Request verbs are limited to GET, HEAD, and POST.
Request content length is limited as appropriate.
Third Party Website PIA
18
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
3.5.3 Indicate how PII will be encrypted, both as data in motion and data at rest.
Cache expiration is enforced on all secured pages.
Content is compressed using gzip or deflate if supported by the browser.
Static content is cached server-side with non-immediate browser expiration and via edge-servers in
content delivery network utilizing international datacenters for low latency access all around the world.
Sensitive data is never accessed by or through the content delivery network.
3.5.4 Describe how access to the PII will be controlled.
Access to all data in the RTAC Partner Pool Portal Application database, including PII, requires that all
users have a user ID and password. User access is controlled by third-party IIE application
administrators who control the level and type of user access. All user logins are logged and held for at
least 60 days. User sessions to the application system initiated outside of the US triggers emails to
application administrators as an additional layer of security. IIE expects to implement multifactor
authentication and Single Sign-on by June 2019.
Third Party Website PIA
19
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
4 Identification and Mitigation of Other Privacy Risks
4.1 Other Privacy Risks
4.1.1 Does a USAID.gov domain link directly to this third party website or other
location that is not part of an official government domain?
☐ No. (Jump to Section 4.1.4)
☒ Yes. The USAID.gov domain will include a hyperlink to www.rtachesn.org.
4.1.2 Is an alert provided (such as a statement or “pop-up”) to visitors explaining
they are being directed to a non-governmental website?
☐ No.
☒ Yes. (Please describe below.)
All links to sites to a non .gov domain automatically pass through an interstitial page telling visitors that
they are being directed to a non-governmental website (confirmed via email with the LPA Web Team
Lead, email 03/14/2019).
4.1.3 Do you disclose to the public their use of the third-party application if it is
incorporated or embedded on the USAID.gov website?
N/A, the third-party application is not incorporated or embedded on the USAID.gov website.
4.1.4 How do you create the appropriate USAID brand to indicate an official USAID
presence on the third-party website?
The branding and marking on the parent site (www.rtachesn.org) is in line with branding and marking
standards and has received approval from the LPA Web Governance Board (11/20/2018).
4.1.5 Do you utilize means other than branding to distinguish USAID activities from
those of non-governmental actors?
Branding is the primary way USAID activities are distinguished from those of non-governmental actors.
We will brand USAID activities in accordance with Agency policy.
Third Party Website PIA
20
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
4.1.6 How does USAID provide alternate means for members of the public to obtain
equivalent access to similar agency information and services as available on
this website without using a third-party website? (Note that OMB guidance
indicates that providing alternate means for access to agency information and
services can provide substantial risk mitigation. It is also vital to assure that
members of the public are not required to access agency information and
services through third-party websites.)
Information about how to apply to be a part of the RTAC Network is made available regularly through
public presentations of both RTAC (NORC) and USAID staff. It is included in hard copy USAID-branded
RTAC brochures and flyers, is provided verbally by USAID staff in informal and formal settings, and will
be included generally on usaid.gov.
4.1.7 What other privacy risks exist, and how will the agency mitigate those risks?1
☐ The Privacy Notice posted by USAID on this website discloses the following privacy risks inherent in
most third-party websites: disclosure of PII by users themselves through their activities on the website,
including activities that associate their account with content on the website; third-party advertising and
tracking; and spam, unsolicited communications, spyware and similar threats.
☐ Other risks and mitigation measures discussed below.
☒ Not applicable
1
Note: A number of specific risk factors and possible mitigation measures are discussed in OMB’s Memorandum of
December 29, 2011 to Chief Information Officers, “Model Privacy Impact Assessment for Agency’s Use of ThirdParty Websites and Applications”, Section 7.1 (pp. 11-13). A number of these risks could be unrelated to any
content posted by USAID; they may stem from potential activities of website operators, other parties participating
on the overall website, and even website visitors themselves. Consider the approach to provide high-level risk
mitigation as discussed in the Websites and Applications Program Standard Operating Procedure. The Sample
Generic Privacy Notice for Third Party Websites, included in that SOP as an Appendix, is intended to provide
effective notice to website visitors of such residual risks that may remain when USAID forgoes the actual collection
of PII from the third-party website and provides alternative means for the public to obtain information and
services from USAID without using third party websites.
Third Party Website PIA
21
Template Version 20181116_v10D
RTAC Privacy Impact Assessment
Date Approved: [04/24/2019]
5 Creation or Modification of a System of Records
☐ If the response to Question 3.1.1 indicates that no PII is collected, used, maintained or disseminated,
check here and skip this section.
5.1 SORNs
5.1.1 Will the agency’s activities create or modify a “system of records” under the
Privacy Act of 1974?
No.
Please stop here and send this form to the Privacy Program at [email protected]. The Privacy
Program will review your information and contact you. For traceability and continuous process
improvement, this version of the Third Party Website PIA template is 20181116_v10D.
Third Party Website PIA
22
Template Version 20181116_v10D
File Type | application/pdf |
File Title | Privacy Impact Assessment Template |
Author | USAID |
File Modified | 2019-04-24 |
File Created | 2019-04-24 |