Privacy Impact Assessment (PIA)
Attachment 9 - Privacy Impact Assessment.docx
Information Program on Clinical Trials: Maintaining a Registry and Results Databank (NLM)
Privacy Impact Assessment (PIA)
OMB: 0925-0586
Save
Privacy Impact Assessment Form v 1.47.4 |
|||||
Question |
Answer |
||||
1 |
OPDIV: |
NIH |
|
||
2 |
PIA Unique Identifier: |
P-2417478-252031 |
|
||
2a |
Name: |
NLM Data Center: MEDLARS: ClinicalTrials.gov |
|
||
3 |
The subject of this PIA is which of the following? |
|
|
||
3a |
Identify the Enterprise Performance Lifecycle Phase of the system. |
Operations and Maintenance |
|
||
3b |
Is this a FISMA-Reportable system? |
|
Yes No |
|
|
4 |
Does the system include a Website or online application available to and for the use of the general public? |
Yes |
|
||
5 |
Identify the operator. |
Agency Contractor |
|
||
6 |
Point of Contact (POC): |
POC Title ISSO/Assistant to Director
POC Name Dar-Ning Kung POC Organization HHS/NIH/NLM POC Email [email protected] POC Phone 301-827-3688 |
|
||
7 |
Is this a new or existing system? |
New |
|
||
8 |
Does the system have Security Authorization (SA)? |
Yes No |
|
||
8a |
Date of Security Authorization |
6/7/2017 12:00:00 AM |
|
||
ClinicalTrials.gov is a web-based resource that provides patients, their family members, health care professionals, researchers, and the public with easy access to information on publicly and privately supported clinical studies on a wide range of diseases and conditions. The website is maintained by the National Library of Medicine (NLM) at the National Institutes of Health (NIH). Information on ClinicalTrials.gov is provided and updated by the sponsor or principal investigator of the clinical study.
Describe the purpose of the system.
ClinicalTrials.gov collects information about clinical studies (study purpose, design, eligibility criteria, outcomes), and makes it publicly available to patients, their families, health care professions, researchers, and the public. Summary-level information (not information about individual participants) about the study results by arm or study group (number of participants starting and completing, demographic information, outcomes, and adverse event information) is collected and posted publicly.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask
about the specific data elements.)
The clinical trial registration and results information is submitted through the online Protocol Registration and Results System (PRS) and stored on Agency servers.
Organizations that sponsor clinical studies must request an account in the PRS to provide clinical trial information using an application form that collects the following information from the publicly accessible website: Type of Organization; Country; Organization Name; Organization Address; Organization Abbreviation and Acronyms (optional); Parent Organization (if any); Official Representative; Official Representative Phone; Official Representative Email; Organization, Web Site (optional); Funding Organization (optional); Regulatory Authority; and Regulatory Authority Address. The name and contact information of the individual who is authorized to update and maintain data in the PRS must also be provided, along with the username and login information (password and organization). Information about these individuals is not posted on the data bank or otherwise made publicly available. Information about the sponsor of the trial must be submitted at the time of trial registration, including the name of the sponsor and contact information. The name and title of the sponsor or responsible party is publicly posted, but contact information is not. For recruiting studies only, the names and contact information of individuals (or a central study coordinator) who can respond to questions concerning enrollment at any location of the study are posted publicly as required under Sec. 402(j) of the PHS Act (42 U.S.C. § 282(j)).
At the time of results information submission, the name and contact information of the individual who has knowledge of the results must be submitted and is posted publicly as required under Sec. 402(j) of the PHS Act (42 U.S.C. § 282(j)).
To obtain information, users of the ClinicalTrials.gov public website enter a query. The request is then processed by the search engine on ClinicalTrial.gov servers and the results are returned to the user as a webpage.
Web-based read-only queries of ClinicalTrials.gov database are conducted by the public world-wide by any number of users.
ClinicalTrials.gov uses specific login information to assign
Page 2 of 10
Provide an overview of the system and describe the
information it will collect, maintain (store), or share, either permanently or temporarily.
ClinicalTrials.gov collects the following information from organizations that sponsor of clinical studies when they apply for PRS accounts: Type of Organization; Country; Organization Name; Organization Address; Organization Abbreviation and Acronyms (optional); Parent Organization (if any); Official Representative; Official Representative Phone; Official Representative Email; Organization Web Site (optional); Funding Organization (optional); Regulatory Authority; Regulatory Authority Address; username; and login information. The name and contact information of the individual who is authorized to update and maintain data in the PRS must also be provided. Information about these individuals is not posted in the data bank or otherwise made publicly available. Information about the sponsor of the trial must be submitted at the time of trial registration, including the name of the sponsor and contact information. The name and title of the sponsor or responsible party is publicly posted, but contact information is not. For recruiting studies only, the names and contact information of individuals (or a central study coordinator) who can respond to questions concerning enrollment at any location of the study are posted publicly as required under Sec. 402(j) of the PHS Act (42 U.S.C. § 282(j)).
At
the time
of results
information submission,
the name
and contact
information of
the individual
who has
knowledge of the
results must be submitted and is posted publicly as required
under Sec.
402(j) of
the PHS
Act (42
U.S.C. §
282(j)).
ClinicalTrials.gov collects information about clinical studies (study purpose, design, eligibility criteria, outcomes), and makes it publicly available to patients, their families, health care professions, researchers, and the public. Summary-level information (not information about individual participants) about the study results by arm or study group (number of participants starting and completing, demographic information, outcomes, and adverse event information) is collected and posted publicly.
ClinicalTrials.gov uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), formerly known as the Active Directory (AD), which combines the identity and authentication tools and capabilities used throughout the NIH enterprise. The IMS has its own approved PIA on record, including all legal authorities documented.
Does the system collect, maintain, use or share PII?
Yes No
15 |
Indicate the type of PII that the system will collect or maintain. |
E-Mail Address Phone Numbers
Department
Username Password |
|
|
|
Employees |
|
|
|
Public Citizens |
|
16 |
Indicate the categories of individuals about whom PII |
Business Partners/Contacts (Federal, state, local agencies) |
|
|
is collected, maintained or shared. |
|
|
|
|
|
|
|
|
Other |
|
17 |
How many individuals' PII is in the system? |
100,000-999,999 |
|
18 |
For what primary purpose is the PII used? |
The primary purpose for the use of Personally Identifiable Information (PII) is to provide users with Contact information to respond to requests for information/assistance, provide quality review comments, and to initiate compliance/ enforcement actions under Title 42, Part 11 of the Code of Federal Regulations (42 CFR Part 11).
PII is also used to provide functional access via established NIH authentication and authorization protocols; including NIH Login and IMS, in order to provide permissions to the system (per user role and least privilege) for NIH employees that serve as system administrators. NIH Login and IMS maintain their own approved Privacy Impact Assessments (PIAs), including documented legal authorities. |
|
19 |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
Not applicable. |
|
20 Describe the function of the SSN. |
Not applicable. |
|
20a Cite the legal authority to use the SSN. |
Not applicable. |
|
21 Identify legal authorities governing information use and disclosure specific to the system and program. |
Section 402(i) and 402(j) of the Public Health Service Act. |
|
22 Are records on the system retrieved by one or more PII data elements? |
No |
|
23 Identify the sources of PII in the system. |
Directly from an individual about whom the information pertains
Email Online
Other Non-Government Sources
Other |
|
23a Identify the OMB information collection approval number and expiration date. |
OMB No. 0925-0586; Expiration Date: February 29, 2020. |
|
24 Is the PII shared with other organizations? |
Yes
|
|
HardWithin HHS
Food and Drug Administration has access to the PII.
Name and contact information of the personal knowledgeable about enrollment at any location of the study and the clinical trial results are posted for those who 24a Identify with whom the PII is shared or disclosed and are subject to Sec. 402(j) of the PHS Act. for what purpose. Other Federal Agency/Agencies State or Local Agency/Agencies
|
|
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer 24b Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). |
Not applicable. |
24c Describe the procedures for accounting for disclosures |
Not applicable. |
Describe the process in place to notify individuals 25 that their personal information will be collected. If no prior notice is given, explain the reason. |
All data elements for collected information are posted publicly, unless labeled explicitly as "Will not be made public - for administrative purposes only" in the ClinicalTrials.gov Data Elements Definition documents (Responsible Party Contact Information).
Additionally, submitters are required to review and agree to a code of conduct statement before submitting PII information. |
26 Is the submission of PII by individuals voluntary or mandatory? |
Voluntary
|
Describe the method for individuals to opt-out of the 27 collection or use of their PII. If there is no option to object to the information collection, provide a reason. |
Individuals have the option to not enter their PII during the registration process. However, failure to enter PII will result in not being able to register and use ClinicalTrials.gov. |
PRS account administrators and users are notified of major changes to the PRS through the "What's New in the ClinicalTrials.gov PRS" webpage, which is accessible within the PRS. They may update or change the PII provided previously when a major change occurs (or at any time for any valid Describe the process to notify and obtain consent reason). from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure Note that to date, we have not made any major changes to the 28 and/or data uses have changed since the notice at PRS that affect disclosure or data uses of PII. However, if the time of original collection). Alternatively, describe modifications were to be made in the future that result in a why they cannot be notified or have their consent major change in the disclosure or use of collected PII, in obtained. addition to adding information to the "What's New in the ClinicalTrials.gov PRS" webpage we would also be able to notify each PRS account administrator and user by email and provide a way for concerned individuals to contact ClinicalTrials.gov directly. |
|||
Describe the process in place to resolve an individual's concerns when they believe their PII has Individuals who have concerns about the accuracy of the PII 29 been inappropriately obtained, used, or disclosed, or can contact ClinicalTrials.gov or revise the information directly that the PII is inaccurate. If no process exists, explain through a their account. why not. |
|||
Describe the process in place for periodic reviews of ClinicaTrials.gov data providers are required to review and 30 PII contained in the system to ensure the data's update submitted information at least once every 12 months integrity, availability, accuracy and relevancy. If no in general; more frequently for certain data elements (e.g., processes are in place, explain why not. Responsible Party Contact Information). |
|||
31 Identify who will have access to the PII in the system and the reason why they require access. |
Users |
Users of the ClinicalTrials.gov public site have access to PII displayed in publicly posted study records (Facility Contact Information). Users require |
|
Administrators |
In order to evaluate the incoming submissions. |
||
Developers |
Restricted, and only as part of assigned tasking. |
||
Contractors |
Direct Contractors have restricted access, and only as part of assigned tasking. |
||
|
|
||
System users are approved by ClinicalTrial.gov's management for access based on their technical/functional role in administering, developing, and supporting the daily job functions of ClinicalTrial.gov. Describe the procedures in place to determine which 32 system users (administrators, developers, NIH Login is required. Following login, system user's privileges contractors, etc.) may access PII. are verified through the use of the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), formerly known as the Active Directory (AD), and has its own approved PIA on record, including all legal authorities documented. |
|||
Periodic review of system users' roles are done to assure access is current with user's technical/functional role in administering, developing, and supporting the daily job functions of ClinicalTrials.gov.
Describe the methods in place to allow those with 33 access to PII to only access the minimum amount of NIH Login is required. Following login, system user's privileges information necessary to perform their job. are verified through the use of the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), formerly known as the Active Directory (AD), and has its own approved PIA on record, including all legal authorities documented. |
|
Identify training and awareness provided to The NIH Security Awareness Training course is used to satisfy personnel (system owners, managers, operators, this requirement. According to NIH policy, all personnel who contractors and/or program managers) using the use NIH applications must attend security awareness training 34 system to make them aware of their responsibilities every year. There are four categories of mandatory IT training for protecting the information being collected and (Information Security, Counterintelligence, Privacy Awareness, maintained. and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials. |
|
Describe training system users receive (above and 35 beyond general security and privacy awareness training). |
Those individuals with privileged access accounts are required to complete a role-based training course every 3 three years specific to their position and role. |
Do contracts include Federal Acquisition Regulation 36 and other appropriate clauses ensuring adherence to privacy provisions and practices? |
Yes |
Describe the process and guidelines in place with 37 regard to the retention and destruction of PII. Cite specific records retention schedules. |
Records are maintained within ClinicalTrial.gov until business ceases in accordance with NARA record retention schedule: Record Schedule for ClinicalTrials.gov: I-0003: Records of All Other Intramural Research Projects (DAA-0443-2012-0007-0003). Disposition: TEMPORARY. Cut off annually at termination of project/program or when no longer needed for scientific reference, whichever is longer. Destroy 7 years after cutoff. |
Administrative Controls: System users are approved by ClinicalTrial.gov's management for access based on their technical/functional role in administering, developing, and supporting ClinicalTrials.gov' daily job functions, and administrators perform periodic reviews to assure users adhere to system policies.
Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Describe, briefly but with specificity, how the PII will Access level and permissions are controlled by the system and 38 be secured in the system using administrative, based on user, role, organizational unit, and status of the technical, and physical controls. report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.
Physical Controls: The servers reside in the Center for Information Technology (CIT) Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room. |
||
39 Identify the publicly-available URL: |
https://clinicaltrials.gov/ https://register.clinicaltrials.gov/ https://prsinfo.clinicaltrials.gov/ |
|
40 Does the website have a posted privacy notice? |
Yes
|
|
40a Is the privacy policy available in a machine-readable format? |
Yes
|
|
Does the website use web measurement and 41 customization technology? |
Yes
|
|
|
Technologies Web beacons
Other... |
Collects PII? |
|
|
|
|
No |
|
Select the type of website measurement and 41a customization technologies is in use and if it is used to collect PII. (Select all that apply) |
No |
|
|
No |
|
|
Yes |
|
|
No |
|
42 Does the website have any information or pages directed at children under the age of thirteen? |
|
|
43 Does the website contain links to non- federal government websites external to HHS? |
Yes
|
|
Is a disclaimer notice provided to users that follow Yes 43a external links to websites not owned or operated by HHS? |
||
General Comments |
The exit disclaimer is part of the NLM Privacy Policy, which has a link included on the ClinicalTrials.gov website.
This component is under the National Library of Medicine (NLM) Data Center General Support System, whose Universal Unique Identifier (UUID) is: 7F0B20AA-D232-4B74-8CCF-0F52020D98E1. |
|
Ralph D. Digitally signed by Ralph OPDIV Senior Official D. French -S for Privacy Signature French -S Date: 2018.12.04 14:30:19 -05'00' |
HHS Senior Bridget M. Digitally signed by Bridget M. Guenther -S DN: c=US, o=U.S. Government, ou=HHS, ou=OS, ou=People, Agency Official 0.9.2342.19200300.100.1.1=2001734030, for Privacy Guenther -S cn=Bridget M. Guenther -S Date: 2018.12.10 13:20:32 -05'00' |
|
Page 1
of 10
| File Type | application/zip |
| File Modified | 0000-00-00 |
| File Created | 2021-01-14 |
© 2024 OMB.report | Privacy Policy