Privacy Impact Assessment

Save

Privacy Impact Assessment Form
v 1.21
Status

Form Number

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

TBD

2a Name:

11/20/19

Poison Center Collaborations for Public Health Emergencies
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Planning
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

No
Yes
No
Agency
Contractor
POC Title

Epidemiologist

POC Name

Royal Law

POC Organization DEHSP
POC Email

[email protected]

POC Phone

770-488-3416
New
Existing
Yes
No

8b Planned Date of Security Authorization
Not Applicable

Page 1 of 5

Save
8c

Briefly explain why security authorization is not
required

The exposure study will utilize several CDC authorized systems
for data collection, storage, and processing.

10

Describe in further detail any changes to the system
that have occurred since the last PIA.

N/A

11 Describe the purpose of the system.

The purpose of the study is to follow up on identified emerging
public health threats using information provided by the
American Association of Poison Control Centers (AAPCC). The
follow up specifically consists of conducting surveys for
affected individuals.

Page 2 of 5

Save
CDC’s key partner, the American Association of Poison Control
Centers (AAPCC), is a national network of 55 poison centers
working to prevent and treat poison exposures. The poison
centers service all states and US territories. A free national
hotline is available 24 hours a day, seven days a week to speak
to poison center experts related to poison exposures.
Already in existence and use, the AAPCC owns and operates
the National Poison Data System (NPDS), a surveillance system
compiling all calls to all poison centers in the US. On average,
every 8 minutes, all poison centers upload data collected from
calls made to their organizations to NPDS. Data routinely
uploaded into NPDS include basic demographic information of
the exposed (age, gender), the substance of exposure,
reported signs and symptoms following exposure, and medical
outcome of the exposure. AAPCC collects this data as part of
its routine surveillance and CDC does not direct the NPDS data
collection. CDC and AAPCC have developed collaborative
methods to use NPDS data for near real-time surveillance of
emerging public health threats.
Respondents selected for poison center investigations will
comprise those who initially call a poison center about triage
and treatment of potential poison exposures related to the
identified public health threat. CDC will identify respondents
based on de-identified information already collected in NPDS.
Describe the type of information the system will
In their daily operations, poison centers track a caller’s contact
collect, maintain (store), or share. (Subsequent
information for the purposes of medical follow-up; this
12
questions will identify if this information is PII and ask information will be used to contact the caller for the call-back
about the specific data elements.)
data collection. NPDS has a linking ID that links to the poison
center. Poison centers will be contacting the respondents
based on the linking ID in NPDS identified by CDC.
These data collections will obtain information on sources of
exposure, scenario of exposure, health seeking behaviors
following exposure, and awareness of health communication
messaging. These additional data can help CDC identify
interventions to improve health messaging meant to reduce
exposure; improve disaster and emergency response and
preventing future events. CDC will use this information to
improve the public health response, including public health
messaging for the specific area or incident of interest.
The types of information received from poison control centers
and maintained by the study are:
Demographic (age, sex)
Location (state)
Exposure (substance, route, exposure environment)
Health (reported exposure effects, clinical outcomes)
Surveys (exposure, health effects, medical treatment, health
messaging)
The study will authenticate users with CDC’s Microsoft Active
Directory services, an authorized CDC system which is covered
by its own PIA.

Page 3 of 5

Save

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

The data collected, stored, and shared will be about the
general public and specifically about those that have
contacted a poison center. There will be no identifiers in the
data. Respondents are members of the general public selected
for poison center investigations will comprise those who
initially call a poison center about triage and treatment of
potential poison exposures related to the select emerging
public health threat. CDC will identify and recruit the
respondents based on information already collected by poison
centers in the National Poison Data System (NPDS). In their
daily operations, poison centers track a caller’s contact
information for the purposes of medical follow-up; this
information will be used to contact the caller for the call-back
data collection. CDC will only receive de-identified information
once data collection is complete through an encrypted and
password-protected Microsoft access database file.
The study will authenticate users with CDC’s Microsoft Active
Directory services, an authorized CDC system which is covered
by its own PIA.

14 Does the system collect, maintain, use or share PII?

Yes
No

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.

Reviewer Questions
1

Are the questions on the PIA answered correctly, accurately, and completely?

Answer
Yes
No

Reviewer
Notes
2

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?

Yes

Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?

Yes

No

Reviewer
Notes
3

No

Reviewer
Notes
4

Does the PIA appropriately describe the PII quality and integrity of the data?

Yes
No

Reviewer
Notes
5

Is this a candidate for PII minimization?

Yes
No

Reviewer
Notes

Page 4 of 5

Save
Reviewer Questions
6

Does the PIA accurately identify data retention procedures and records retention schedules?

Answer
Yes
No

Reviewer
Notes
7

Are the individuals whose PII is in the system provided appropriate participation?

Yes
No

Reviewer
Notes
8

Does the PIA raise any concerns about the security of the PII?

Yes
No

Reviewer
Notes
9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?

Yes
No

Reviewer
Notes
10

Is the PII appropriately limited for use internally and with third parties?

Yes
No

Reviewer
Notes
11

Does the PIA demonstrate compliance with all Web privacy requirements?

Yes
No

Reviewer
Notes
12

Were any changes made to the system because of the completion of this PIA?

Yes
No

Reviewer
Notes

General Comments

OPDIV Senior Official
for Privacy Signature

Jarell
Oshodi -S

Digitally signed by Jarell
HHS Senior
Oshodi -S
Agency Official
Date: 2019.12.03
for Privacy
14:48:21 -05'00'

Page 5 of 5