PIA word

_8c Briefly explain why security authorization is not _{Because this not a system.} required

₁₀ Describe in further detail any changes to the system that have occurred since the last PIA.

n/a

11 Describe the purpose of the system.

In September 2018, the Division of Adolescent and School Health (DASH) funded 25 Local Education Agencies (LEAs) under Promoting Adolescent Health through School-Based HIV Prevention (PS18-1807). PS18-1807 supports a multi- component, multi-level effort to support youth reaching adulthood in the healthiest possible way. DASH is developing the Program Evaluation and Reporting System (PERS), a program evaluation and monitoring system for LEAs to report process and outcome measures. PERS will collect data about LEAs and their priority schools related to three strategies, Sexual Health Education (SHE), Sexual Health Services (SHS), and Safe and Supportive Environments (SSE).

Describe the type of information the system will

₁₂ collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask

about the specific data elements.)

LEAs will enter process and outcome data into the PERS system semi-annually, using a set of three questionnaires. The questionnaires ask for programmatic information about the LEAs and their priority schools. Data collection involves collecting programmatic reporting data from the project manager at each of the funded NOFO 1807 Local Education Agencies (LEAs). LEAs are the school districts funded to implement this programmatic initiative.

The data that is collected from the program managers does not involve the collection of sensitive, or personal information.

Although the name and work email address of the program managers at each LEA entering, viewing, and submitting data stored for each responding organization, the system only collects programmatic data about LEAs and priority schools.

Data entry into PERS is structured as a series of questionnaires which are answered by each LEA for their own work and the work of their priority schools. In addition, LEAs can upload relevant curriculum documents into the system. LEAs will have the option for multiple staff members have log-ins. To facilitate the data collection process for LEAs, copies of the

^{Provide an overview of the system and describe the} questionnaires in PDF format are available for download from

13 information it will collect, maintain (store), or share, _PERS. either permanently or temporarily.

The data that is collected from the program managers does not involve the collection of sensitive, or personal information.

Although the name and work email address of the program managers at each LEA entering, viewing, and submitting data stored for each responding organization, the system only collects programmatic data about LEAs and priority schools.

14 Does the system collect, maintain, use or share PII?

Yes No

15

Indicate the type of PII that the system will collect or maintain.

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

Education Records Device Identifiers

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID _Other...

Business E-Mail Address Other...

Other... Other...

16

Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

Public Citizens

Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors

Patients

Other

17

How many individuals' PII is in the system?

100-499

18

For what primary purpose is the PII used?

Names and email addresses are used to link PERS users to their LEA and to determine which forms they have access to in the system. Professional Email addresses are used as the user log- in.

19

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

none

20

Describe the function of the SSN.

n/a

20a

Cite the legal authority to use the SSN.

n/a

21

Identify legal authorities governing information use and disclosure specific to the system and program.

Sections 301(a) and 317(k)(2) of the Public Health Service Act [42 U.S.C. Sections 241 and 247(k)(2)], as amended

22

Are records on the system retrieved by one or more PII data elements?

Yes No

Identify the number and title of the Privacy Act

_22a System of Records Notice (SORN) that is being used to cover the system or identify if a SORN is being

developed.

Published: Published:

Published:

In Progress

²³ Identify the sources of PII in the system.

Directly from an individual about whom the information pertains

In-Person Hard Copy: Mail/Fax

Email Online Other Government Sources

Within the OPDIV Other HHS OPDIV State/Local/Tribal

Foreign Other Federal Entities

Other Non-Government Sources

Members of the Public Commercial Data Broker Public Media/Internet

Private Sector

Other

_23a Identify the OMB information collection approval number and expiration date.

24 Is the PII shared with other organizations?

Yes No

Within HHS

Other Federal

_24a Identify with whom the PII is shared or disclosed and for what purpose.

Agency/Agencies

State or Local

Agency/Agencies

Private Sector

DASH website includes the names of the following: all our funded LEAs from PS18-NOFO1807 and

all project managers for each LEA.

Describe any agreements in place that authorizes the _{Anyone can google “local education agencies within a} ^{information sharing or disclosure (e.g. Computer} specified state” and all of the school districts will appear.

^{24b Matching Agreement, Memorandum of} Any person can then see all of the departments within the ^{Understanding (MOU), or Information Sharing} specific LEA, e.g. school instruction & curricula, funded Agreement (ISA)). _{projects, etc.}

Once a department or program is opened, a person can then go to “directory” and see a list of names and emails for all persons on staff.

_24c Describe the procedures for accounting for disclosures

N/A

Describe the process in place to notify individuals

25 that their personal information will be collected. If no prior notice is given, explain the reason.

Individuals are asked to register in the system using their name, professional email address, and LEA name.

₂₆ Is the submission of PII by individuals voluntary or mandatory?

Voluntary Mandatory

_{Describe the method for individuals to opt-out of the} Individuals can opt-out of providing their name or email _{collection or use of their PII. If there is no option to} address, however, they will not be able to access the system.

²⁷ _{object to the information collection, provide a} The system must be able to identify the user via email address _reason. and the user must be linked to their LEA for data collection and

analysis.

Describe the process to notify and obtain consent

from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure

_{28 and/or data uses have changed since the notice at} In the event that a major change occurs, individuals will be

the time of original collection). Alternatively, describe ^{notified via email.}

why they cannot be notified or have their consent obtained.

Describe the process in place to resolve an

individual's concerns when they believe their PII has

_{29 been inappropriately obtained, used, or disclosed, or} No process exists as we will only collecting individuals names that the PII is inaccurate. If no process exists, explain ^{and their professional email address.}

why not.

Describe the process in place for periodic reviews of

₃₀ PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no

processes are in place, explain why not.

The contract will review the list of registered users at various points in the project to ensure that only active users' PII is stored in the system.

₃₁ Identify who will have access to the PII in the system and the reason why they require access.

Users

^{Administrators} System maintenance Developers ^{System development and}

maintenance

^Contractors System maintenance and data analysis

Others

Administrators, developers, and contractors that are

_{Describe the procedures in place to determine which} responsible for maintaining and developing the system and

_{32 system users (administrators, developers,} conducting data analysis will have a "Systems/Database _{contractors, etc.) may access PII.} Administrator" user-type which will allow them to access the

User Names and Email addresses. Other PERS users will only

have access to their own user name, email, and data.

Describe the methods in place to allow those with

_{33 access to PII to only access the minimum amount of} Those with access to PII need to be able to confirm the users' _{information necessary to perform their job.} names, email addresses, and corresponding funded agency.

Identify training and awareness provided to

^{personnel (system owners, managers, operators,} All CDC employees and contractors must complete the Records

₃₄ ^{contractors and/or program managers) using the} Management and Security Awareness training. In addition, IT ^{system to make them aware of their responsibilities} Administrators must take the Information Security for IT

for protecting the information being collected and _{Administrators course.} maintained.

Describe training system users receive (above and

35 beyond general security and privacy awareness _{MASO and SAT, both on cdc.gov} training).

Do contracts include Federal Acquisition Regulation _Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? ^No

Records are retained and disposed of in accordance with the ^{Describe the process and guidelines in place with} CDC Records Control Schedule 04-4-22 Family of HIV Surveys,

37 regard to the retention and destruction of PII. Cite _{Division of HIV/AIDS Prevention/Surveillance and} specific records retention schedules. _{Epidemiology.}

Administrative controls: The information collection involves use of web-based data collection methods. The website does use cookies, and access to the web-based questionnaire, which is password-protected and given only to the staff of the CDC/ DASH-funded LEAs who will complete the questionnaires.

^{Describe, briefly but with specificity, how the PII will} Once the contractor is notified that business partners no

^{38 be secured in the system using administrative,} longer are participating, an Administrator will delete the ^{technical, and physical controls.} individuals contact information from the list of users.

Technical controls: CDC will maintain information in secure electronic files that will only be accessible to authorized members of the team. Electronic files will be stored on secure network servers, and access will be restricted to approved team members identified by user ID and password.

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose ^Yes

² justified by appropriate legal authorities? _No

Reviewer Questions

Answer

Reviewer

Notes

3

Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors?

Yes No

Reviewer

Notes

4

Does the PIA appropriately describe the PII quality and integrity of the data?

Yes No

Reviewer

Notes

5

Is this a candidate for PII minimization?

Yes No

Reviewer

Notes

6

Does the PIA accurately identify data retention procedures and records retention schedules?

Yes No

Reviewer

Notes

7

Are the individuals whose PII is in the system provided appropriate participation?

Yes No

Reviewer

Notes

8

Does the PIA raise any concerns about the security of the PII?

Yes No

Reviewer

Notes

9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?

Yes No

Reviewer

Notes

10

Is the PII appropriately limited for use internally and with third parties?

Yes No

Reviewer

Notes

11

Does the PIA demonstrate compliance with all Web privacy requirements?

Yes No

Reviewer

Notes

12

Were any changes made to the system because of the completion of this PIA?

Yes No

Reviewer

Notes