Save
v 1.47.4
Status Form Number Form Date
Question Answer
OPDIV: NIH
PIA Unique Identifier:
2a Name: NIH Office of Clinical Research (OCR) Clinical Research Training Application
The subject of this PIA is which of the following?
3a Identify the Enterprise Performance Lifecycle Phase of the system.
3b Is this a FISMA-Reportable system?
Does the system include a Website or online
General Support System (GSS) Major Application
Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown
Development
Yes No
Yes
Accept
application available to and for the use of the general
public? No
Reject
Agency Contractor
POC Title Medical Officer
Point of Contact (POC):
POC Name Anne Zajicek
POC Organization Office of the Director (OD) Office
of Clinical Research (OCR)
Accept Reject
Does the system have Security Authorization (SA)?
Accept Reject
Yes No
September 1, 2019
Not Applicable
11 |
Describe the purpose of the system. |
The purpose of the system is to provide a redesigned and modernized version of the existing NIH Clinical Research Training Application. This application is a Learning Management system built leveraging Drupal Key features which include:
|
Accept Reject |
12 |
Describe the type of information the system will Users are required to create an account with a login ID and collect, maintain (store), or share. (Subsequent password to log into the system. Registration is then required questions will identify if this information is PII and ask to access course materials. The registration form collects the about the specific data elements.) following information: |
Accept Reject |
|
13 |
Provide an overview of the system and describe the The information listed in Question 12 is collected and stored information it will collect, maintain (store), or share, temporarily to provide login accounts for students taking either permanently or temporarily. courses within the system and to allow the OCR administrative |
Accept Reject |
|
14 |
Does the system collect, maintain, use or share PII? |
Yes No |
Accept Reject |
15 |
Indicate the type of PII that the system will collect or maintain. |
Social Security Number Date of Birth Name Photographic Identifiers Driver's License Number Biometric Identifiers Mother's Maiden Name Vehicle Identifiers E-Mail Address Mailing Address Phone Numbers Medical Records Number Medical Notes Financial Account Info Certificates Legal Documents Education Records Device Identifiers Military Status Employment Status Foreign Activities Passport Number Taxpayer ID Degree ORCiD State/Territory Country Affiliation (NIH/Non-NIH, I/C, Institute/Company/ Organization, Department) |
Accept Reject |
16 |
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
Employees Public Citizens Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors Patients Other |
Accept Reject |
17 |
How many individuals' PII is in the system? |
5,000-9,999 |
Accept Reject |
18 |
For what primary purpose is the PII used? |
To provide identification for login accounts, emailing notifications, and placing students' names on passing exam certificates. |
Accept Reject |
19 |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
To allow the OCR administrative team to analyze and report demographic data and statistics for all course students to provide metrics and help improve future course offerings, for use within OCR. |
Accept Reject |
20 |
Describe the function of the SSN. |
N/A - SSN is not collected. |
Accept Reject |
20a |
Cite the legal authority to use the SSN. |
N/A - SSN is not collected. |
|
21 |
Identify legal authorities governing information use and disclosure specific to the system and program. |
Privacy Act of 1974, as amended (5 U.S.C. Section 552a) |
Accept Reject |
22 |
Are records on the system retrieved by one or more PII data elements? |
Yes No |
Accept Reject |
23 |
Identify the sources of PII in the system. |
Directly from an individual about whom the information pertains In-Person Hard Copy: Mail/Fax Email Online Other Government Sources Within the OPDIV Other HHS OPDIV State/Local/Tribal Foreign Other Federal Entities Other Non-Government Sources Members of the Public Commercial Data Broker Public Media/Internet Private Sector Other |
Accept Reject |
23a Identify the OMB information collection approval number and expiration date. |
OMB Number 0925-XXXX Application for new OMB Number under review and to be received by October 15, 2019. |
|
24 Is the PII shared with other organizations? |
Yes No |
Accept Reject |
Describe the process in place to notify individuals 25 that their personal information will be collected. If no prior notice is given, explain the reason. |
The following OMB notice is placed at the top of the course registration form: OMB Notice Form approved | OMB Number 0925-XXXX | Expiration Date XX/XX/XX
Public reporting burden for this collection of information is estimated to average (10) minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to: NIH, Project Clearance Branch, 6705 Rockledge Drive, MSC 7974, Bethesda, MD 20892-7974, ATTN: PRA (0925-xxxx). Do not return the completed form to this address. |
Accept Reject |
26 Is the submission of PII by individuals voluntary or mandatory? |
Voluntary Mandatory |
Accept Reject |
Describe the method for individuals to opt-out of the |
|
|
27 collection or use of their PII. If there is no option to |
Basic information is needed to create a login account for the |
Accept |
object to the information collection, provide a |
system: First Name, Last Name, Email Address, and Username. |
Reject |
reason. |
|
|
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure 28 and/or data uses have changed since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. |
If notification is required, individuals can be notified via email. |
Accept Reject |
Describe the process in place to resolve an Individuals may send comments regarding this burden individual's concerns when they believe their PII has estimate or any other aspect of this collection of information, 29 been inappropriately obtained, used, or disclosed, or including suggestions for reducing this burden, to: NIH, Project that the PII is inaccurate. If no process exists, explain Clearance Branch, 6705 Rockledge Drive, MSC 7974, Bethesda, why not. MD 20892-7974, ATTN: PRA (0925-xxxx). Do not return the completed form to this address. |
Accept Reject |
|
Describe the process in place for periodic reviews of 30 PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. |
A process will be in place for OCR administration to monitor the data collection annually. |
Accept Reject |
31 Identify who will have access to the PII in the system and the reason why they require access. |
Users |
|
Accept Reject |
||
Administrators |
Troubleshoot access issues; metrics reporting |
||||
Developers |
Troubleshoot access and system issues |
||||
Contractors |
Troubleshoot access and system issues (the development team consists of contractors) |
||||
Others |
|
||||
The procedure to determine which system users may access PII is granted through a request to the system owner, along with a proper reason for needing access to the PII. NIH login is Describe the procedures in place to determine which required. Following login, the system user's privileges are 32 system users (administrators, developers, verified through the use of the NIH Identity, Credential, and contractors, etc.) may access PII. Access Management Services: Identity Management Services (IMS), formally known as the Active Directory (AD), and has its own approved PIA on record, including all legal authorities documented. |
Accept Reject |
||||
The procedure to determine which system users may access PII is granted through a request to the system owner, along with a proper reason for needing access to the PII. NIH login is Describe the methods in place to allow those with required. Following login, the system user's privileges are 33 access to PII to only access the minimum amount of verified through the use of the NIH Identity, Credential, and information necessary to perform their job. Access Management Services: Identity Management Services (IMS), formally known as the Active Directory (AD), and has its own approved PIA on record, including all legal authorities documented. |
Accept Reject |
||||
Identify training and awareness provided to personnel (system owners, managers, operators, 34 contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. |
The NIH Security Awareness Training course is used to satisfy this requirement. According to NIH policy, all personnel who use NIH applications must attend security awareness training every year. There are four categories of mandatory IT training (Information Security, Counterintelligence, Privacy Awareness, and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials.
All NIH personnel, contract personnel, and non-NIH users with authorized access to NIH-owned information system resources are required to complete NIH's on-line security awareness training course. Procedures, deadlines, and instructions are found within the NIH Security Awareness and Training policy document. |
|
Accept Reject |
||
Describe training system users receive (above and 35 beyond general security and privacy awareness training). |
Administrative users are provided training in the form of standard operating procedures. These trainings cover navigating the system, Shopping cart workflows and how to review and process publication orders. |
|
Accept Reject |
||
Do contracts include Federal Acquisition Regulation 36 and other appropriate clauses ensuring adherence to privacy provisions and practices? |
Yes No |
|
Accept Reject |
Describe the process and guidelines in place with 37 regard to the retention and destruction of PII. Cite specific records retention schedules. |
6.5 Public Customer Service Records This schedule covers records an agency creates or receives while providing customer service to the public. Federal agencies that provide direct services to the public operate customer call centers or service centers to assist external customers. They may provide customer support through telephone discussions (toll free numbers), dialogue (via chat), and email.
Item 020: Customer/client records. Distribution lists used by an agency to deliver specific goods or services. Records include:
Record Type: Temporary
Disposition Instructions: Delete when superseded, obsolete, or when customer requests the agency to remove the records.
Disposition Authority: DAA-GRS-2017-0002-0002 |
Accept Reject |
Administrative Controls: Access requests are managed, validated, and audited by the OCR Support Team and scheduled audits are performed to ensure accounts are validated and/or revoked if needed. Access Disclosure Agreements are required for all users. Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level Describe, briefly but with specificity, how the PII will and permissions are controlled by the system and based on 38 be secured in the system using administrative, user, role, organizational unit, and status of the report. All technical, and physical controls. servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data. Physical Controls: The servers reside in the Center for Information Technology (CIT) Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room. |
Accept Reject |
|
39 Identify the publicly-available URL: |
ocrtraining.cit.nih.gov (expected URL; pending configuration of production site) |
Accept Reject |
40 Does the website have a posted privacy notice? |
Yes No |
Accept Reject |
40a Is the privacy policy available in a machine-readable format? |
Yes No |
|
Does the website use web measurement and 41 customization technology? |
Yes No |
|
|
Accept Reject |
Select the type of website measurement and 41a customization technologies is in use and if it is used to collect PII. (Select all that apply) |
Technologies Web beacons
Web bugs Session Cookies Persistent Cookies
Other... |
Collects PII? |
|
|
Yes |
||||
No |
||||
Yes |
||||
No |
||||
Yes |
||||
No |
||||
Yes |
||||
No |
||||
Yes |
||||
No |
||||
42 Does the website have any information or pages directed at children under the age of thirteen? |
Yes No |
|
|
Accept Reject |
43 Does the website contain links to non- federal government websites external to HHS? |
Yes No |
|
|
Accept Reject |
Is a disclaimer notice provided to users that follow 43a external links to websites not owned or operated by HHS? |
Yes No |
|
|
|
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
||||
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
|
Reviewer Questions |
|
Answer |
|
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
Reviewer Questions |
Answer |
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
|
Reviewer Questions |
Answer |
|
1 |
Are the questions on the PIA answered correctly, accurately, and completely? |
Yes No |
Accept Reject |
Reviewer Notes |
|||
2 |
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose justified by appropriate legal authorities? |
Yes No |
Accept Reject |
Reviewer Notes |
|||
3 |
Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors? |
Yes No |
Accept Reject |
Reviewer Notes |
|||
4 |
Does the PIA appropriately describe the PII quality and integrity of the data? |
Yes No |
Accept Reject |
Reviewer Notes |
|||
5 |
Is this a candidate for PII minimization? |
Yes No |
Accept Reject |
Reviewer Notes |
|||
6 |
Does the PIA accurately identify data retention procedures and records retention schedules? |
Yes No |
Accept Reject |
Reviewer Notes |
Reviewer Questions Answer
Yes
Accept
Are the individuals whose PII is in the system provided appropriate participation?
Reviewer
Notes
Does the PIA raise any concerns about the security of the PII?
Reviewer
Notes
No
Yes No
Reject
Accept Reject
9
Reviewer
Notes
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?
Yes No
Yes
Accept Reject
Accept
Is the PII appropriately limited for use internally and with third parties?
Reviewer
Notes
Does the PIA demonstrate compliance with all Web privacy requirements?
Reviewer
Notes
Were any changes made to the system because of the completion of this PIA?
No
Yes No
Yes No
Reject
Accept Reject
Accept Reject
Reviewer
Notes
General Comments
OPDIV Senior Official for Privacy Signature
HHS Senior Agency Official for Privacy
v 1.47.4
Status Form Number Read Only Form Date Read Only
Question Answer
OPDIV: Read Only - OPDIV
TPWA Unique Identifier (UID): Read Only - TPWA UID
TPWA Name: Read Only - TPWA Name
Is this a new TPWA?
Yes No
4a Please provide the reason for revision
Will the use of a third-party Website or application
create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy
Act?
5a Indicate the SORN number (or identify plans to put one in place.)
Will the use of a third-party Website or application
create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
Indicate the OMB approval number and approval 6a number expiration date (or describe the plans to
obtain OMB clearance.)
Does the third-party Website or application contain Federal Records?
SORN Number:
If not published:
OMB Approval Number Expiration Date Explanation
Yes No
Yes No
Yes No
Accept Reject
Accept Reject
Accept Reject
POC Title
Point of Contact (POC):
POC Name
POC Organization POC Email
Accept Reject
POC Phone
Describe the specific purpose for the OPDIV use of the third-party Website or application:
Have the third-party privacy policies been reviewed
to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? Describe alternative means by which the public can
obtain comparable information or services if they choose not to use the third-party Website or
application:
Does the third-party Website or application have
appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
How does the public navigate to the third party Website or application from the OPIDIV?
Yes No
Yes No
Accept Reject Accept Reject
Accept Reject
Accept Reject
Accept Reject
13a Please describe how the public navigate to the third- party website or application:
If the public navigate to the third-party website or 13b application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? |
Yes No |
|
Has the OPDIV Privacy Policy been updated to 14 describe the use of a third-party Website or application? |
Yes No |
Accept Reject |
14a Provide a hyperlink to the OPDIV Privacy Policy: |
||
15 Is an OPDIV Privacy Notice posted on the third-party Website or application? |
Yes No |
Accept Reject |
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII 15a that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy |
Yes No |
|
Is the OPDIV's Privacy Notice prominently displayed 15b at all locations on the third-party Website or application where the public might make PII available? |
Yes No |
|
16 Is PII collected by the OPDIV from the third-party Website or application? |
Yes No |
Accept Reject |
17 Will the third-party Website or application make PII available to the OPDIV? |
Yes No |
Accept Reject |
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or 18 the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: |
|
Accept Reject |
Describe the type of PII from the third-party Website 19 or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: |
|
Accept Reject |
19a If PII is shared, how are the risks of sharing PII mitigated? |
||
20 Will the PII from the third-party Website or application be maintained by the OPDIV? |
Yes No |
Accept Reject |
20a If PII will be maintained, indicate how long the PII will be maintained: |
||
21 Describe how PII that is used or maintained will be secured: |
|
Accept Reject |
22 |
|
What other privacy risks exist and how will they be mitigated? |
|
Accept Reject |
||
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
||||||
|
|
Reviewer Questions |
Answer |
|
||
|
1 |
Are the responses accurate and complete? |
Yes No |
Accept Reject |
||
Reviewer Notes |
||||||
|
2 |
Is the TPWA compliant with all M-10-23 requirements, including appropriate branding and alerts? |
Yes No |
Accept Reject |
||
Reviewer Notes |
||||||
|
3 |
Has the OPDIV posted an updated privacy notice on the TPWA and does it contain the five required elements? |
Yes No |
Accept Reject |
||
Reviewer Notes |
||||||
|
4 |
Does the PIA clearly identify PII made available and/or collected by the TPWA? |
Yes No |
Accept Reject |
||
Reviewer Notes |
||||||
|
5 |
Is the handling of PII appropriate? |
Yes No |
Accept Reject |
||
Reviewer Notes |
||||||
General Comments |
|
|
||||
OPDIV Senior Official for Privacy Signature |
HHS Senior Agency Official for Privacy |
Page
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 2021-01-15 |