Ctrp Pia
Attach_4_CTRP-PIA.docx
The Clinical Trials Reporting Program (CTRP) Database (NCI)
CTRP PIA
OMB: 0925-0600
Save
Privacy Impact Assessment Form
v 1.43
Status Draft Form Number F-54643 Form Date 9/18/2013 10:56:01 AM
Question Answer
OPDIV: TEST
PIA Unique Identifier: P-5860043-506903
2a Name: Test 9-18-01
The subject of this PIA is which of the following?
3a Identify the Enterprise Performance Lifecycle Phase of the system.
3b Is this a FISMA-Reportable system?
Does the system include a Website or online
General Support System (GSS) Major Application
Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown
Operations and Maintenance
Yes No
Yes
application available to and for the use of the general
public? No
Agency
Contractor
Identify the operator.
POC Title Head of Clinical and Translational Informatics
Point of Contact (POC):
POC Name Jose Galvez, MD POC Organization NCI CBIIT
POC
Email [email protected]
POC Phone 240-276-5206
New
Existing
Is this a new or existing system?
Yes
No
Does the system have Security Authorization (SA)?
8a Date of Security Authorization 4/10/2014
Describe the purpose of the system.
The CTRP Database provides a comprehensive real-time view of the state of NCI-funded cancer clinical trials, which enables NCI to make informed prioritization decisions via disease- specific steering committees. Accordingly, this resource allows the NCI to manage its portfolio of cancer clinical research investments effectively; consolidate and streamline existing reporting to individual programs within the NCI by aggregating the information already collected and eliminating the need for redundant submissions to the NCI; comply with regulatory reporting requirements when acting as the sponsor of FDA-regulated clinical investigations; prepare the detailed performance, financial management and administrative accountability reports required of Executive Branch agencies, including those required by Executive Orders or OMB Circulars, Memoranda and Guidelines; and provide appropriate public access to cancer research information.
Information collected
includes the
trial protocol
document, the
template informed consent document, and IRB approval
documentation, and related protocol/lead organization information
including NIH funding information, trial/ organization
contact information,
trial status
information, and
IND/IDE information.
Throughout a
trial, ongoing
trial status
information is
collected as well as study subject accrual information
including demographic data.
collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask
about the specific data elements.)
The Clinical
Trials Reporting
Program (CTRP)
is a
web-based program to
submit data
about cancer-related
clinical trials
and to
search for
data concerning
cancer-related clinical
trials. The CTRP
system is
an electronic
resource that
is intended
to serve as a
single, definitive source of information about all NCI- supported
clinical research.
Deployment of
this resource
will allow the
NCI to
consolidate reporting,
aggregate information
and reduce redundant submissions. Information will be submitted
by clinical
research coordinators
as designees
of clinical investigators who conduct NCI-supported clinical
research.
information it will collect, maintain (store), or share, either permanently or temporarily.
Does the system collect, maintain, use or share PII?
Yes No
Indicate the type of PII that the system will collect or maintain.
Social Security Number Date of Birth
Name Photographic
Identifiers Driver's License
Number Biometric Identifiers Mother's
Maiden Name Vehicle
Identifiers
E-Mail Address Mailing Address
Phone Numbers Medical Records Number
Medical Notes Financial Account Info
Certificates Legal Documents
Education Records Device Identifiers
Military Status Employment Status
Zip code
Gender
Ethnicity
Race
Indicate the categories of individuals about whom PII is collected, maintained or shared.
Employees Public Citizens
Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors
Patients
Other
How many individuals' PII is in the system? 100,000-999,999
The information is collected for purposes of portfolio management, compliance with regulatory and administrative reporting obligations and appropriate dissemination of cancer research information to the public.
For what primary purpose is the PII used?
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)
The PII collected is part of a set of study subject information which the NCI will use to determine accrual demographics across the NCI portfolio, helping to ensure equal access to NCI trials.
N/A
Describe the function of the SSN.
N/A
Identify legal authorities governing information use and disclosure specific to the system and program.
Are records on the system retrieved by one or more
N/A
PII data elements? No
22a
Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being used to cover the system or identify if a SORN is being developed.
Published: Published: Published:
In Progress
Directly from an individual about whom the information pertains
Identify the sources of PII in the system.
Government Sources
Non-Government Sources
In-Person Hard Copy: Mail/Fax
Email Online Other
Within the OPDIV Other HHS OPDIV State/Local/Tribal
Foreign Other Federal Entities
Other
Members of the Public
23a Identify the OMB information collection approval number and expiration date.
Commercial Data Broker Public Media/Internet
Private Sector
OMB Approval #:
0925-0600. Expiration Date: 05/31/2016
Is the PII shared with other organizations?
Yes No
Within HHS
24a Identify with whom the PII is shared or disclosed and for what purpose.
Only designated, appropriate NCI program and administrative employee and contractor staff will have full access to the data within the CTRP Database for purposes of portfolio management and compliance with regulatory and administrative reporting obligations. Access will be limited to those with a direct need to access the data. Access will be granted to non-Federal staff under a non-disclosure agreement and staff will be given mandatory privacy and security training
Individual submitters to the CTRP Database will have full access to information they have submitted.
Other Federal Agency/Agencies
State or Local Agency/Agencies
N/A
24b
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).
24c
Describe the procedures for accounting for disclosures
Study Subject
PII is
collected from
the Principal
Investigator or
Study Coordinator, and not supplied directly by the study
subject. The
Principal Investigator
and/or Study
Coordinator are
notified by
posted notices
on the
website.
NCI will
post written
notices on
the web
site portal
for the CTRP
system to inform clinical investigators/research coordinators
of:
major changes
that occur
to the
CTRP system
that affect
disclosure and/or
uses of
PII in
the CTRP
system;
changes in
the type
of PII
to be
collected from
study subjects; and
any changes
to how
PII is
used or
shared (from
current practice of
making PII
collected from
study subjects
available only to
designated,
appropriate NCI
employee and
contractor staff on a “need to know” basis for
purposes of portfolio management and compliance with regulatory
and administrative reporting
obligations).
Describe the process in place to notify individuals
that their personal information will be collected. If no prior notice is given, explain the reason.
Is
the
submission
of
PII
by
individuals
voluntary
or mandatory?
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to object to the information collection, provide a
reason.
Voluntary Mandatory
PII is not collected directly from individuals, but from the Principal Investigator or Study Coordinator. The information required from the individual is agreed upon during the Informed Consent process of enrollment.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure
and/or data uses have changed since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.
Describe the process in place to resolve an individual's concerns when they believe their PII has
been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
NCI has no means to identify or contact the individuals whose PII is in the system. The Principal Investigator and/or Study Coordinator would be notified via the CTRP website and could contact the individuals.
If individuals believe their PII has been inappropriately obtained,
used or
disclosed, they
can file
a complaint
to the Office
of Civil
Rights (OCR)
within 180
days of
the alleged
violation. This
complaint must
be in
writing and
submitted either by
e-mail, postal
mail, or
fax.
The system owner checks the PII in the system. The agency will request annual self-assessment to ensure confidentiality, integrity, and availability.
Personally identifiable information will be made available to designated, appropriate NCI employee and contractor staff for purposes of
Identify who will have access to the PII in the system and the reason why they require access.
Users
portfolio management and compliance with regulatory and administrative reporting obligations. Individual submitters will have full access to information they have submitted.
Administrators System Administration
Developers
Contractors
Perform services as required, primarily management of submitted data by clinical protocol abstraction staff
Others
Access will
be limited
to those
with a
direct need
to access
the data. Access
will be
granted to
non-Federal staff
under a
non- disclosure agreement and staff will be given mandatory
privacy and
security training.
system users (administrators, developers, contractors, etc.) may access PII.
Level of access to PII will depend on role and users will be
required to
undergo training
for the
role responsibility.
System audit logs will facilitate accountability enforcement
for user transactions.
access to PII to only access the minimum amount of information necessary to perform their job.
Identify
training and awareness provided to personnel
(system owners,
managers, operators,
contractors and/or program managers) using the system to make them aware of their responsibilities
for protecting the information being collected and maintained.
Describe training system users receive (above and
beyond general security and privacy awareness training).
All personnel take mandatory NIH IT Security Training to ensure they are aware of their responsibility for protecting the information collected.
N/A
Do contracts include Federal Acquisition Regulation
and other appropriate clauses ensuring adherence to privacy provisions and practices?
National Institutes of Health, NIH System Life Cycle requirements
require destruction
of PII
upon the
termination of the
system.
regard to the retention and destruction of PII. Cite specific records retention schedules.
Yes No
The PII will be secured by management, operational, and technical
controls. Some of these controls include user identification and
authentication, the concept of least privilege,
and firewalls.
Infrastructure product,
username and
password, annual
risk assessments,
background checks
on administrative
employees, key
locks and
keycards necessary
to enter server
rooms.
be secured in the system using administrative, technical, and physical controls.
Identify
the publicly-available
URL:
Does the website have a posted privacy notice?
Is the privacy policy available in a machine-readable
Yes No
Yes
40a
41
format?
Does the website use web measurement and customization technology?
No Yes No
Technologies Collects PII?
Yes
41a
Select the type of website measurement and customization technologies is in use and if it is used to collect PII. (Select all that apply)
Web beacons
Web bugs Session Cookies
Persistent Cookies
Other...
No Yes No Yes No Yes No Yes No
Does the website have any information or pages directed at children under the age of thirteen?
Does the website contain links to non- federal government websites external to HHS?
Yes No
Yes No
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.
Reviewer Questions Answer
Yes
1 Are the questions on the PIA answered correctly, accurately, and completely?
No
Reviewer
Notes
Reviewer Questions Answer
2
Reviewer
Notes
3
Reviewer
Notes
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose justified by appropriate legal authorities?
Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors?
Yes No
Yes No
Yes
Does the PIA appropriately describe the PII quality and integrity of the data?
Reviewer
Notes
Is this a candidate for PII minimization?
Reviewer
Notes
Does the PIA accurately identify data retention procedures and records retention schedules?
Reviewer
Notes
Are the individuals whose PII is in the system provided appropriate participation?
Reviewer
Notes
Does the PIA raise any concerns about the security of the PII?
Reviewer
Notes
No
Yes No
Yes No
Yes No
Yes No
9
Reviewer
Notes
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?
Yes No
Yes
Is
the
PII
appropriately
limited
for
use
internally
and
with
third
parties?
Reviewer
Notes
Does the PIA demonstrate compliance with all Web privacy requirements?
Reviewer
Notes
No
Yes No
Page 
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Abdelmouti, Tawanda (NIH/OD) [E] |
| File Modified | 0000-00-00 |
| File Created | 2021-01-15 |
© 2024 OMB.report | Privacy Policy