|
|
1. OPDIV |
National Institutes of Health |
2. PIA Unique Identifier |
P-1110930-742633 |
2a. Name |
CRSS: OCRTME Training Program |
3. The subject of this PIA is which of the following? |
Major Application |
3a. Identify the Enterprise Performance Lifecycle Phase of the system. |
Operational |
3b. Is this a FISMA-Reportable system? |
Yes |
4. Does the system include a Website or online application available to and for the use of the general public? |
Yes |
Accept / Reject Status |
|
|
|
Question 4 Comment |
|
|
|
5. Identify the operator. |
Agency |
6. Point of Contact (POC) |
|
POC Title |
System Owner |
POC Name |
Simmons, Jennifer |
POC Organization |
NIH/CC/OCRTME |
POC Email |
|
POC Phone |
301.402.0914 |
Accept / Reject Status |
|
|
|
Question 6 Comment |
|
|
|
7. Is this a new or existing system? |
New |
8. Does the system have Security Authorization (SA)? |
Yes |
Accept / Reject Status |
|
|
|
Question 8 Comment |
|
|
|
8a. Date of Security Authorization |
12/31/2017 |
|
|
9. Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
Other |
|
Accept / Reject Status |
|
|
|
Question 9 Comment |
|
|
|
|
|
10. Describe in further detail any changes to the system that have occurred since the last PIA. |
The system's management changed substantially in 2018. The CC was using two different vendors for two clusters of websites that OCRTME was operating, Digital Infuzion and D'Vinci Interactive. The D'Vinci Interactive contract is no longer with NIH CC, but rather NIH OD (as of December 2018). |
Accept / Reject Status |
|
|
|
Question 10 Comment |
|
|
|
11. Describe the purpose of the system. |
This collection of administrative systems, known as Clinical Research Student records system (CRS), tracks applications from healthcare researchers, providers and administrators in training at the National Institutes of health (NIH) Clinical Center (CC) Office of Clinical Research Training and Medical Education's (OCRTME) undergraduate and graduate medical education programs.
A third-party web application provider, under the direction of the Executive Director for Graduate Medical Education, provides online course registration functionality for NIH training programs and conduct Alumni tracking surveys for graduates of the NIH training programs, all sites hosted at NIH. The programs administered are as follows: Medical Research Scholars Program Graduate Medical Education Clinical Electives Program Doctor of Philosophy (Ph.D.) Summer Course Resident Electives Program Clinical Research Training Program (CRTP)/Alumni Survey |
Accept / Reject Status |
|
|
|
Question 11 Comment |
|
|
|
12. Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements.) |
The personally identifiable information (PII) collected includes name, personal mailing address, personal phone number, personal email address, educational records, and employment status. The information is not disseminated, and is used to process applicants for training programs sponsored by various Institutes and Centers (ICs) within the NIH. The information is submitted voluntarily by medical/dental students or physicians and is collected to determine the suitability of applicants for NIH clinical research training programs. Those solicited may be members of the general public.
The system uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), which combines the identity and authentication tools and capabilities used throughout the NIH enterprise. IMS maintains its own unique privacy impact assessment (PIA). The purpose of the IMS is to authenticate and authorize all users and computers in a Windows domain network; assigning and enforcing information security policies for all computers and installing or updating software. The IMS collects unique user names and passwords (user credentials) and stores them in an encrypted format. The IMS is an essential service which facilitates and governs network access to various resources. |
Accept / Reject Status |
|
|
|
Question 12 Comment |
|
|
|
13. Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. |
This collection of administrative systems, known as Clinical Research Student records system (CRS), tracks applications from healthcare researchers, providers and administrators in training at the National Institutes of health (NIH) Clinical Center (CC) Office of Clinical Research Training and Medical Education's (OCRTME) undergraduate and graduate medical education programs.
A third-party web application provider, under the direction of the Executive Director for Graduate Medical Education, provides online course registration functionality for NIH training programs and conduct Alumni tracking surveys for graduates of the NIH training programs, all sites hosted at NIH. The programs administered are as follows: Medical Research Scholars Program Graduate Medical Education Clinical Electives Program Doctor of Philosophy (Ph.D.) Summer Course Resident Electives Program Clinical Research Training Program (CRTP)/Alumni Survey
The personally identifiable information (PII) collected includes name, personal mailing address, personal phone number, personal email address, educational records, and employment status. The information is not disseminated, and is used to process applicants for training programs sponsored by various Institutes and Centers (ICs) within the NIH. The information is submitted voluntarily by medical/dental students or physicians and is collected to determine the suitability of applicants for NIH clinical research training programs. Those solicited may be members of the general public.
The system uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access Management Services: Identity Management Services (IMS), which combines the identity and authentication tools and capabilities used throughout the NIH enterprise. IMS maintains its own unique privacy impact assessment (PIA). The purpose of the IMS is to authenticate and authorize all users and computers in a Windows domain network; assigning and enforcing information security policies for all computers and installing or updating software. The IMS collects unique user names and passwords (user credentials) and stores them in an encrypted format. The IMS is an essential service which facilitates and governs network access to various resources. |
Accept / Reject Status |
|
|
|
Question 13 Comment |
|
|
|
14. Does the system collect, maintain, use or share PII? |
Yes |
Accept / Reject Status |
|
|
|
Question 14 Comment |
|
|
|
|
|
15. Indicate the type of PII that the system will collect or maintain. |
Name, E-Mail Address, Phone Numbers, Education Records, Mailing Address, Employment Status |
|
|
|
|
|
|
Accept / Reject Status |
|
|
|
Question 15 Comment |
|
|
|
16. Indicate the categories of individuals about whom PII is collected, maintained or shared. |
Employees, Public Citizens |
|
|
Accept / Reject Status |
|
|
|
Question 16 Comment |
|
|
|
17. How many individuals' PII is in the system? |
10,000-49,999 |
Accept / Reject Status |
|
|
|
Question 17 Comment |
|
|
|
18. For what primary purpose is the PII used? |
For clinical research training programs and to evaluate the effectiveness / outcome of NIH clinical research training programs. |
Accept / Reject Status |
|
|
|
Question 18 Comment |
|
|
|
19. Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
The information collected is used to validate the compliance of graduate medical education training programs sponsored by the Clinical Center with the requirements of external accrediting organizations, specifically the Accreditation Council for Graduate Medical Education located in Chicago, IL. |
Accept / Reject Status |
|
|
|
Question 19 Comment |
|
|
|
20. Describe the function of the SSN. |
SSN is not collected. It is acknowledged that SSN may appear on transcripts. This collection would be unsolicited and incidental. The SSN is never used and could be removed. |
Accept / Reject Status |
|
|
|
Question 20 Comment |
|
|
|
20a. Cite the legal authority to use the SSN. |
SSN is not collected. |
21. Identify legal authorities governing information use and disclosure specific to the system and program. |
42 USC 241, 263, 282 |
22. Are records on the system retrieved by one or more PII data elements? |
Yes |
Accept / Reject Status |
|
|
|
Question 22 Comment |
|
|
|
|
|
22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being used to cover the system or identify if a SORN is being developed. |
|
Published: |
09-25-0014, Clinical Research: Student Records, HHS/NIH/OD/OIR/OE |
Published: |
|
Published: |
|
In Progress |
No |
|
|
23. Identify the sources of PII in the system. |
In-Person, Hard Copy: Mail/Fax, Email, Online |
Accept / Reject Status |
|
|
|
Question 23 Comment |
|
|
|
23a. Identify the OMB information collection approval number and expiration date. |
OMB Number: 0925-0698 (Application Process for Clinical Research Training and Medical Education at the Clinical Center and its impact on Course and Training Program Enrollment and Effectiveness)
The expiration date is 07/31/2020 and will be renewed. |
24. Is the PII shared with other organizations? |
Yes |
Accept / Reject Status |
|
|
|
Question 24 Comment |
|
|
|
|
|
24a. Identify with whom the PII is shared or disclosed and for what purpose. |
|
Within HHS |
Yes |
|
Applicant names within the system may be shared with other NIH institutes. |
Other Federal Agency/Agencies |
No |
|
|
State or Local Agency/Agencies |
No |
|
|
Private Sector |
No |
|
|
24b. Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). |
There are no MOUs or ISAs for this system. |
24c. Describe the procedures for accounting for disclosures. |
|
|
|
25. Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. |
Individuals self-select for application and make the affirmative action to visit the NIH website(s) in question. Applicants are notified at the website where data is collected that submission of information is voluntary but necessary for program application and consideration. |
Accept / Reject Status |
|
|
|
Question 25 Comment |
|
|
|
26. Is the submission of PII by individuals voluntary or mandatory? |
Voluntary |
Accept / Reject Status |
|
|
|
Question 26 Comment |
|
|
|
27. Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. |
Individuals may opt out by not applying to the program. |
Accept / Reject Status |
|
|
|
Question 27 Comment |
|
|
|
28. Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. |
The information received from respondents is only used for the two purposes documented, evaluation for the purpose of selecting qualified participants and validation of compliance with the requirements of external accrediting organizations. No changes to the OCRTME program are likely to occur. If a change were to occur, applicant data would then be used to notify and obtain consent from applicants for any new use. |
Accept / Reject Status |
|
|
|
Question 28 Comment |
|
|
|
29. Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. |
A Privacy Rights Complaint Form is available to individuals when they believe that their PII has been inappropriately used or disclosed. The Clinical Center's Privacy Office will review the complaint and respond to the concern within 30 business days. Complaints could also be submitted to the System Manager, who would investigate and share findings with CC Information Systems Security Officer (ISSO) and CC Privacy Officer. |
Accept / Reject Status |
|
|
|
Question 29 Comment |
|
|
|
30. Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. |
OCRTME follows an auditing and accountability Standard Operating Procedure. The system owner regularly reviews and analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions (such as reporting security violations). |
Accept / Reject Status |
|
|
|
Question 30 Comment |
|
|
|
31. Identify who will have access to the PII in the system and the reason why they require access. |
|
Users |
Yes |
|
Users need access to screen program applicants. |
Administrators |
Yes |
|
Administrators do not have access to the applicant data but may have unforseen, incidental access in the performance of administrative functions. |
Developers |
No |
|
|
Contractors |
No |
|
|
Others |
No |
|
|
32. Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. |
Access to PII is assigned based upon job roles/responsibilities. A NIH Active Directory (AD) account login is required to gain access to the stored PII data. The access rights of the logged on user's AD account determines file system permissions and whether PII may be accessed. NIH Active Directory maintains its own unique PIA, including all legal authorities documented. |
Accept / Reject Status |
|
|
|
Question 32 Comment |
|
|
|
33. Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. |
Appropriate access is granted to the system based on predefined roles and job descriptions, and administrative access is limited to authorized employees based on current roles. Dual factor authentication with NIH Personal Identity Verification (PIV) card and NIH Active Directory will occur at time of login to the NIH Network and 3M System. System owners are responsible for creating the proper security groups within their systems with the applicable permissions for group members to enforce least privilege. |
Accept / Reject Status |
|
|
|
Question 33 Comment |
|
|
|
34. Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. |
All NIH employees and direct contractors must take the NIH Information Security Awareness Course and NIH Privacy Awareness Course prior to being granted access to NIH information resources. In addition, the Information Security and Privacy Awareness Refresher must be taken annually. Administrators and Privileged Users/Developers require additional security and privacy training specific to their roles and responsibilities. Determinations are made based on Role based access controls and least privilege. |
Accept / Reject Status |
|
|
|
Question 34 Comment |
|
|
|
35. Describe training system users receive (above and beyond general security and privacy awareness training). |
Application specific one-on-one peer training is provided as needed. |
Accept / Reject Status |
|
|
|
Question 35 Comment |
|
|
|
36. Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? |
Yes |
Accept / Reject Status |
|
|
|
Question 36 Comment |
|
|
|
37. Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. |
Records are retained and disposed of under the authority of the NIH Intramural Records Retention Schedule.
Medical Staff Credentialing Records, DAA-0443-2012-0007-0011, are temporary records that can be destroyed 30 years after cutoff, which is one year after the medical staff member leaves patient care.
Records are maintained within this system for a time of no less than six years after a password is altered or an user account is terminated in accordance with National Archives and Records Administration (NARA) record retention schedule: 3.2.031, System access records; Systems requiring special accountability for access; DAA-GRS-2013-0006-0004 |
Accept / Reject Status |
|
|
|
Question 37 Comment |
|
|
|
38. Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. |
Physical Controls: The information technology (IT) hardware used to host protected information is located in a secured datacenter facility. The facility is only open to authorized personnel whose access is monitored by locking doors with badge readers for both ingress and egress. Each discrete ingress and egress event is logged. The facility is under 24-hour surveillance by facilities security for security and environmental hazards.
Technical Controls: IT hardware and software is segregated from default commodity public networks to prevent unauthorized or malicious access. Access controls lists and event logs are maintained and monitored to detect unauthorized, suspicious or malicious activity. Access lists are restricted to approved IT technical personnel. Two factor authentication must be used for access. File integrity and auditing software are employed on hardware.
Administrative Controls: All technical personnel who access IT systems which contain protected information have met background investigation criteria for Public Trust positions. All personnel have taken mandatory security and privacy training classes and annual refreshers. Administrative personnel accessing these systems use privileged and separate accounts for administrative access. |
Accept / Reject Status |
|
|
|
Question 38 Comment |
|
|
|
|
|
|
|
39. Identify the publicly-available URL. |
https://ocrtmeapps.cc.nih.gov/mrsp https://ocrtmeapps.cc.nih.gov/gme https://ocrtmeapps.cc.nih.gov/phdsummercourse/ https://ocrtmeapps.cc.nih.gov/rep/ https://ocrtmeapps.cc.nih.gov/survey |
Accept / Reject Status |
|
|
|
Question 39 Comment |
|
|
|
40. Does the website have a posted privacy notice? |
Yes |
Accept / Reject Status |
|
|
|
Question 40 Comment |
|
|
|
|
|
40a. Is the privacy policy available in a machine-readable format? |
No |
|
|
41. Does the website use web measurement and customization technology? |
No |
Accept / Reject Status |
|
|
|
Question 41 Comment |
|
|
|
|
|
41a. Select the type of website measurement and customization technologies is in use and if it is used to collect PII. (Select all that apply). |
|
Web Beacons |
No |
Collects PII? |
No |
Web Bugs |
No |
Collects PII? |
No |
Session Cookies |
Yes |
Collects PII? |
No |
Persistent Cookies |
No |
Collects PII? |
No |
Other ... |
|
Collects PII? |
Undefined |
|
|
42. Does the website have any information or pages directed at children under the age of thirteen? |
No |
Accept / Reject Status |
|
|
|
Question 42 Comment |
|
|
|
|
|
42a. Is there a unique privacy policy for the website, and does the unique privacy policy address the process for obtaining parental consent if any information is collected? |
Undefined |
|
|
43. Does the website contain links to non-federal government websites external to HHS? |
No |
Accept / Reject Status |
|
|
|
Question 43 Comment |
|
|
|
|
|
43a. Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? |
Undefined |
|
|
|
|
|
|
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
|
1. Are the questions on the PIA answered correctly, accurately, and completely? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 1 Comment |
|
|
|
2. Does the PIA appropriately communicate the purpose of PII in the system and is the purpose justified by appropriate legal authorities? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 2 Comment |
|
|
|
3. Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 3 Comment |
|
|
|
4. Does the PIA appropriately describe the PII quality and integrity of the data? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 4 Comment |
|
|
|
5. Is this a candidate for PII minimization? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 5 Comment |
|
|
|
6. Does the PIA accurately identify data retention procedures and records retention schedules? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 6 Comment |
|
|
|
7. Are the individuals whose PII is in the system provided appropriate participation? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 7 Comment |
|
|
|
8. Does the PIA raise any concerns about the security of the PII? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
Accept / Reject Status |
|
|
|
Question 8 Comment |
|
|
|
9. Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
Accept / Reject Status |
|
|
|
Question 9 Comment |
|
|
|
10. Is the PII appropriately limited for use internally and with third parties? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 10 Comment |
|
|
|
11. Does the PIA demonstrate compliance with all Web privacy requirements? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 11 Comment |
|
|
|
12. Were any changes made to the system because of the completion of this PIA? |
|
Reviewer Notes |
|
Accept / Reject Status |
|
|
|
Question 12 Comment |
|
|
|
General Comments |
|
|
|
Status and Approvals |
|
IC Status |
IC Approved |
OSOP Status |
Undefined |
OPDIV Senior Official for Privacy Signature |
|
HHS Senior Agency Official for Privacy |
|
|
For Official Use Only (FOUO) |
Page
|
| File Type | text/rtf |
| Author | Vorck, Fred (NIH/CC/DCRI) [E] |
| Last Modified By | Abdelmouti, Tawanda (NIH/OD) [E] |
| File Modified | 2020-06-30 |
| File Created | 2020-06-30 |