Pia
Attachment 4 - HHS Privacy Impact Assessment (PIA) Form.docx
Application Forms for the NIDA Summer Research Internship Program
PIA
OMB: 0925-0738
Save
Privacy Impact Assessment Form
v 1.47.4
Status n/a Form Number n/a Form Date n/a
Question Answer
OPDIV: National Institutes of Health
PIA Unique Identifier: n/a
2a Name: NIDA Summer Research Internship Program
The subject of this PIA is which of the following?
3a Identify the Enterprise Performance Lifecycle Phase of the system.
3b Is this a FISMA-Reportable system?
Does the system include a Website or online
General Support System (GSS) Major Application
Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown
Operations and Maintenance
Yes No
Yes
Accept
application available to and for the use of the general
public? No
Reject
Agency Contractor
Identify the operator.
POC Title
Point of Contact (POC):
POC Name
POC Organization POC Email
Accept Reject
POC Phone
New Existing
Is this a new or existing system?
Does the system have Security Authorization (SA)?
Accept Reject
Yes No
November 30, 2019
Not Applicable
9 Indicate the following reason(s) for updating this PIA. Choose from the following options. |
PIA Validation (PIA Refresh/Annual Review) Anonymous to Non- Anonymous
Other... |
Significant System Management Change Alteration in Character of Data New Interagency Uses Conversion |
Accept
|
10 Describe in further detail any changes to the system that have occurred since the last PIA. |
|
|
Accept
|
11 Describe the purpose of the system. |
|
|
Accept
|
Describe the type of information the system will 12 collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements.) |
|
|
Accept |
Provide an overview of the system and describe the 13 information it will collect, maintain (store), or share, either permanently or temporarily. |
|
|
Accept |
14 Does the system collect, maintain, use or share PII? |
|
|
Accept
|
15 Indicate the type of PII that the system will collect or maintain. |
Other... Other... Other... Other... |
Date of Birth Photographic Identifiers Biometric Identifiers Vehicle Identifiers Mailing Address Medical Records Number Financial Account Info Legal Documents Device Identifiers Employment Status Passport Number |
Accept |
Indicate the categories of individuals about whom PII Business Partners/Contacts (Federal, state, local agencies) 16 is collected, maintained or shared. Vendors/Suppliers/Contractors
Other |
Accept |
|
17 How many individuals' PII is in the system? |
Accept
|
|
18 For what primary purpose is the PII used? |
Accept
|
|
19 Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
|
Accept
|
20 Describe the function of the SSN. |
Accept |
|
20a Cite the legal authority to use the SSN. |
||
21 Identify legal authorities governing information use and disclosure specific to the system and program. |
Accept
|
|
Are
records on the system retrieved by one
or
more 22 PII data elements? No |
Accept
|
|
Published:
Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being used Published: 22a to cover the system or identify if a SORN is being developed. Published:
|
||
23 Identify the sources of PII in the system. |
Directly from an individual about whom the information pertains
Within the OPDIV Other HHS OPDIV
|
Accept |
23a Identify the OMB information collection approval number and expiration date. |
||
24 Is the PII shared with other organizations? |
|
Accept
|
Describe the process in place to notify individuals 25 that their personal information will be collected. If no prior notice is given, explain the reason. |
|
Accept
|
26 Is the submission of PII by individuals voluntary or mandatory? |
|
Accept
|
Describe the method for individuals to opt-out of the 27 collection or use of their PII. If there is no option to object to the information collection, provide a reason. |
|
Accept
|
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure 28 and/or data uses have changed since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. |
|
Accept |
Describe the process in place to resolve an individual's concerns when they believe their PII has 29 been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. |
|
Accept |
Describe the process in place for periodic reviews of 30 PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. |
|
Accept |
Users
Administrators
Contractors
Others
Developers
31 |
Identify who will have access to the PII in the system and the reason why they require access.
|
|
Accept
|
32 |
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. |
|
Accept |
33 |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. |
|
Accept
|
34 |
Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. |
|
Accept |
35 |
Describe training system users receive (above and beyond general security and privacy awareness training). |
|
Accept |
36 |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? |
|
Accept |
37 |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. |
|
Accept |
38 |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. |
|
Accept |
39 |
Identify the publicly-available URL: |
|
Accept
|
40 |
Does the website have a posted privacy notice? |
|
Accept
|
40a |
Is the privacy policy available in a machine-readable format? |
|
|
41 |
Does the website use web measurement and customization technology? |
|
Accept
|
Technologies
Select the type of website measurement and 41a customization technologies is in use and if it is used to collect PII. (Select all that apply) Session Cookies
Other... |
Collects PII? |
|
|
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Yes |
|||
No |
|||
Does
the
website
have
any
information
or
pages 42 directed at children under the age of thirteen? No |
|
|
Accept Reject |
Is there a unique privacy policy for the website, and does
the
unique
privacy
policy
address
the
process 42a for obtaining parental consent if any information is No collected? |
|||
Does
the
website
contain
links
to
non-
federal 43 government websites external to HHS? No |
|
|
Accept
|
Is
a disclaimer notice provided to users
that
follow HHS? |
|||
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
|||
Reviewer Questions |
|
Answer |
|
1 Are the questions on the PIA answered correctly, accurately, and completely? |
|
Yes No |
Accept
|
Reviewer Notes |
|||
2 Does the PIA appropriately communicate the purpose of PII in the system and is the purpose justified by appropriate legal authorities? |
Yes No |
Accept
|
|
Reviewer Notes |
|||
3 Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors? |
Yes No |
Accept
|
|
Reviewer Notes |
|||
4 Does the PIA appropriately describe the PII quality and integrity of the data? |
|
Yes No |
Accept
|
Reviewer Notes |
|||
|
Reviewer Questions |
Answer |
|
||
5 |
Is this a candidate for PII minimization? |
|
Accept
|
||
Reviewer Notes |
|||||
6 |
Does the PIA accurately identify data retention procedures and records retention schedules? |
|
Accept
|
||
Reviewer Notes |
|||||
7 |
Are the individuals whose PII is in the system provided appropriate participation? |
|
Accept
|
||
Reviewer Notes |
|||||
8 |
Does the PIA raise any concerns about the security of the PII? |
|
Accept
|
||
Reviewer Notes |
|||||
9 |
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be? |
|
Accept
|
||
Reviewer Notes |
|||||
10 |
Is the PII appropriately limited for use internally and with third parties? |
|
Accept
|
||
Reviewer Notes |
|||||
11 |
Does the PIA demonstrate compliance with all Web privacy requirements? |
|
Accept
|
||
Reviewer Notes |
|||||
12 |
Were any changes made to the system because of the completion of this PIA? |
|
Accept
|
||
Reviewer Notes |
|||||
General Comments |
|
||||
OPDIV Senior Official for Privacy Signature |
HHS Senior Agency Official for Privacy |
||||
|
|||||
Third-Party
Website Assessment PIA Form
v 1.47.4
Status Form Number Read Only Form Date Read Only
Question Answer
OPDIV: Read Only - OPDIV
TPWA Unique Identifier (UID): Read Only - TPWA UID
TPWA Name: Read Only - TPWA Name
Is this a new TPWA?
Yes No
4a Please provide the reason for revision
Will the use of a third-party Website or application
create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy
Act?
5a Indicate the SORN number (or identify plans to put one in place.)
Will the use of a third-party Website or application
create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
Indicate the OMB approval number and approval 6a number expiration date (or describe the plans to
obtain OMB clearance.)
Does the third-party Website or application contain Federal Records?
SORN Number:
If not published:
OMB Approval Number Expiration Date Explanation
Yes No
Yes No
Yes No
Accept Reject
Accept Reject
Accept Reject
POC Title
Point of Contact (POC):
POC Name
POC Organization POC Email
Accept Reject
POC Phone
Describe the specific purpose for the OPDIV use of the third-party Website or application:
Have the third-party privacy policies been reviewed
to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes No
Accept Reject Accept Reject
Describe alternative means by which the public can 11 obtain comparable information or services if they choose not to use the third-party Website or application: |
|
Accept |
Does the third-party Website or application have 12 appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? |
|
Accept
|
13 How does the public navigate to the third party Website or application from the OPIDIV? |
|
Accept
|
13a Please describe how the public navigate to the third- party website or application: |
||
If the public navigate to the third-party website or 13b application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? |
|
|
Has the OPDIV Privacy Policy been updated to 14 describe the use of a third-party Website or application? |
|
Accept |
14a Provide a hyperlink to the OPDIV Privacy Policy: |
||
15 Is an OPDIV Privacy Notice posted on the third-party Website or application? |
|
Accept |
Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII 15a that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy |
|
|
Is the OPDIV's Privacy Notice prominently displayed 15b at all locations on the third-party Website or application where the public might make PII available? |
|
|
16 Is PII collected by the OPDIV from the third-party Website or application? |
|
Accept
|
17 Will the third-party Website or application make PII available to the OPDIV? |
|
Accept
|
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or 18 the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: |
|
Accept |
Describe the type of PII from the third-party Website 19 or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: |
|
Accept |
19a If PII is shared, how are the risks of sharing PII mitigated? |
||||||
20 |
|
Will the PII from the third-party Website or application be maintained by the OPDIV? |
Yes No |
|
Accept
|
|
20a If PII will be maintained, indicate how long the PII will be maintained: |
||||||
21 |
|
Describe how PII that is used or maintained will be secured: |
|
|
Accept
|
|
22 |
|
What other privacy risks exist and how will they be mitigated? |
|
|
Accept
|
|
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
||||||
|
|
Reviewer Questions |
|
Answer |
|
|
|
1 |
Are the responses accurate and complete? |
|
|
Accept
|
|
Reviewer Notes |
||||||
|
2 |
|
Is the TPWA compliant with all M-10-23 requirements, including appropriate branding and alerts? |
|
Accept
|
|
Reviewer Notes |
||||||
|
3 |
|
Has the OPDIV posted an updated privacy notice on the TPWA and does it contain the five required elements? |
|
Accept
|
|
Reviewer Notes |
||||||
|
4 |
Does the PIA clearly identify PII made available and/or collected by the TPWA? |
|
|
Accept
|
|
Reviewer Notes |
||||||
|
5 |
Is the handling of PII appropriate? |
|
|
Accept
|
|
Reviewer Notes |
||||||
General Comments |
|
|
||||
Page
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-15 |
© 2024 OMB.report | Privacy Policy