Download:
pdf |
pdfPRIVACY IMPACT ASSESSMENT (PIA)
FOR
NATIONAL INSTITUTE OF MENTAL HEALTH
DATA ARCHIVES (NDA)
September 18th, 2020
�Introduction
The E-Government Act of 2002, Section 208, establishes the requirement for agencies to
conduct privacy impact assessments (PIAs) for electronic information systems and
collections. The assessment is a practical method of evaluating privacy in information
systems and collections, and documented assurance that privacy issues have b een identified
and adequately addressed.
The process is designed to guide NIH system owners and developers in assessing privacy
during the early stages of development and throughout the System Development Life Cycle
(SDLC), to determine how their project will affect the privacy of individuals and whether
the project objectives can be met while also protecting privacy.
This guide provides a framework for conducting privacy impact assessments and a
methodology for assessing how Personally Identifiable Information (PII) is to be managed
in information systems within the NIH.
PIA Overview
Conducting a PIA ensures compliance with laws and regulations governing privacy and
demonstrates the NIH’s commitment to protect the privacy of any personal information we
collect, store, retrieve, use and share. It is a comprehensive analysis of how the NIH’s
electronic information systems and collections handle Personally Identifiable Information
(PII). The objective of the PIA is to systematically identify the risks and potential effects of
collecting, maintaining, and disseminating PII and to examine and evaluate alternative
processes for handling information to mitigate potential privacy risks.
Personally Identifiable Information (PII)
PII is information in an IT system or online collection that directly identifies an individual
(e.g., name, address, social security number or other identifying number or code,
telephone number, email address, etc.) In addition, PII may be comprised of information
by which an agency intends to identify specific individuals in conjunction with other data
elements, i.e., indirect identification. These data elements may also include gender, race,
birth date, geographic indicator and other descriptors.
�HHS Privacy Impact Assessment (Form) / NIH NIMH Data Archive System
PIA SUMMARY
1
The following required questions with an asterisk (*) represent the information necessary to complete the
PIA Summary for transmission to the Office of Management and Budget (OMB) and public posting in
accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If
the system hosts a website, the Website Hosting Practices section is required to be completed regardless of
the presence of personally identifiable information (PII). If no PII is contained in the system, please answer
questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will
authorize the PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be
completed prior to signature and promotion.
2
Summary of PIA Required Questions
*Is this a new PIA?
No, This is an existing system
If this is an existing PIA, please provide a reason for revision:
FIPS-199 categorization has been updated to FISMA Moderate
*1. Date of this Submission:
September 18, 2020
*2. OPDIV Name:
NIH
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.13 is Yes, a SORN number is
required for Q.4):
N/A
*5. OMB Information Collection Approval Number:
N/A
*6. Other Identifying Number(s):
N/A
*7. System Name (Align with system item name):
National Institute of Mental Health Data Archive (NDA)
*8. System Point of Contact (POC). The System POC is the person to whom questions about the system
and the responses to this PIA may be addressed:
Point of Contact Information
System POC Name
Gurpreet Panjrath –
[email protected]
�202.849.1158
*9. Provide an overview of the system:
NDA is a collection of information systems supporting the full range of brain and mental health research activities. It
provides infrastructure for sharing research data, tools, methods, and analyses enabling collaborative science
and discovery. De-identified human subject’s data, harmonized to a common standard, are made available to
qualified researchers. The NDA mission is to accelerate scientific research and discovery through data
sharing, data harmonization, and the reporting of research results.
*10. Indicate if the system is new or an existing one being modified:
NDA is an existing system being modified
*11. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any
database(s), record(s), file(s) or website(s) hosted by this system?
Yes
TIP: If the answer to Question 11 is “No” (indicating the system does not contain PII), only the remaining
PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA
must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII
“permitting the physical or online contacting of a specific individual … employed [by] the Federal
Government – only need to complete the PIA Summary tab.)
11a. Is this a GSS PIA, included for A&A purposes only, with no ownership of underlying application
data? If the response to Q.11a is Yes, the response to Q.11 should be No and only the PIA Summary must
be completed.
No
*12. Are records on the system retrieved by 1 or more PII data elements?
No
*13. Is the system subject to the Privacy Act? (If the response to Q.12 is Yes, the response to Q.13 must be
Yes and a SORN number is required for Q.4)
No
*14. If the system shares or discloses PII, please specify with whom and for what purpose(s):
All NDA geolocation, sensor and device ID data are de-identified prior to being shared or disclosed to the
researchers with the IRB approval.
*15. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate
(clearly state if the information contained in the system ONLY represents federal contact data); (2) Why
and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:
The investigators collect the following information from the research participants. NDA then collects these
data from the investigators. NDA maintains, disseminates and /or made available these data to researchers
with a need-to-know privileges and permissions:
1.
• Study ID
• Participant ID
• Sensor type
• Device OS type
• Device IDs (smart watches)
• Timestamp (date and time) data
�• Latitude, longitude, and altitude coordinates (with 68% confidence)
• Message type (SMS, MMS, and phone)
• Address (hashes of phone number or contact)
• Communication direction (incoming, outgoing or missed)
• Communication duration
• De-identified Scientific Research Data (OMICS and Bioassay data) from Study Investigators.
2. The information being collected are used for research and studies to create derived variables using
published analysis methods.
3. The information being collected are sensitive data of the participants, however they do not uniquely
identify a participant hence these data do not contain PII.
4. Participation in the study and for that matter data collection is voluntary.
*16. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals
whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have
changed since the notice at the time of the original collection); (2) Notify and obtain consent from
individuals regarding what PII is being collected from them; and (3) How the information will be used or
shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written
notice, electronic notice, etc.]):
NDA does not directly obtain consent from research participants whose data is submitted to NDA.
Investigators submitting human subjects research data to NDA, and their research institution, agree that the
data are collected pursuant to an informed consent that is consistent with the data submission and used for
health research purposes. Submitters and their institutions further acknowledge that the data are collected in
a manner consistent with all applicable laws and regulations, as well as institutional policies.
*17. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices
section is required to be completed regardless of the presence of PII)
Yes
*18. Does the website have any information or pages directed at children under the age of thirteen?
No
*19. Are there policies or guidelines in place with regards to the retention and destruction of PII? (Refer
to the A&A package and/or the Records Retention and Destruction section in SORN)
N/A
*20. Briefly describe in detail how the PII will be secured on the system using administrative, technical,
and physical controls:
Access to the study participant PII data is role-based permission with least privilege functionality requiring
the use of identification and authenticators (NIH access credentials).
�PIA REQUIRED INFORMATION
1 HHS Privacy Impact Assessment (PIA)
The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of
PII, what is done with that information, and how that information is protected. Systems with PII are subject
to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act
Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act.
Respective Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy
Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to
the administrative, technical, and physical controls of the system. Please note that answers to questions with
an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly
available in accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible.
2
General Information
*Is this a new PIA?
No
If this is an existing PIA, please provide a reason for revision:
FIPS-199 Categorization for the system changed to FISMA Moderate.
*1. Date of this Submission:
September 18 2020
*2. OPDIV Name:
NIH
3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the
System Inventory form, UPI table):
149C0961-9C43-42E7-AEEC-39BFD537CB71
*4. OMB Information Collection Approval Number:
N/A
4a. OMB Collection Approval Number Expiration Date:
N/A
*5. Other Identifying Number(s):
N/A
6. System Location: (OPDIV or contractor office building, room, city, and state)
System Location:
OPDIV or contractor office building
Amazon Cloud
Room
N/A
City
N/A
State
N/A
�*7. System Point of Contact (POC). The System POC is the person to whom questions about the system
and the responses to this PIA may be addressed:
Point of Contact Information
POC Name
Gurpreet Panjrath
The following information will not be made publicly available:
POC Title
NDA Project Manager
POC Organization
HHS/NIH/NIMH
POC Phone
202.849.1158
POC Email
[email protected]
*8. Provide an overview of the system: (Note: The System Inventory form can provide additional
information for child dependencies if the system is a GSS)
Funded by the National Institutes of Health, the National Institute of Mental Health Data Archive (NDA) is a
single infrastructure that was initially created through the integration of a set of research data repositories
including the National Database for Autism Research (NDAR), the Research Domain Criteria Database
(RDoCdb), the National Database for Clinical Trials related to Mental Illness (NDCT), and the NIH
Pediatric MRI Repository (PedsMRI). The NDA infrastructure was established to support autism research,
but has grown into an informatics platform that facilitates data sharing across all of mental health and other
research communities, making data available from each of these repositories combined into a single resource
with a single process for gaining access to all shared data.
�SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION
1 System Characterization and Data Configuration
9. Does HHS own the system?
Yes, NIH owns NDA but is hosted in Amazon AWS
9a. If no, identify the system owner:
N/A
10. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No)
No
11. If no, identify the system operator:
N/A
12. Identify the life-cycle phase of this system:
The system is in Production
13. Have any of the following major changes occurred to the system since the PIA was last submitted?
Please indicate “Yes” or “No” for each category
below:
Yes/No
Conversions
No
Anonymous to Non-Anonymous
No
Significant System Management Changes
No
Significant Merging
No
New Public Access
No
Commercial Sources
No
New Interagency Uses
No
Internal Flow or Collection
No
Alteration in Character of Data
No
14. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or
Minor Application (stand-alone)?
Minor Application (child)
*15. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any
database(s), record(s), file(s) or website(s) hosted by this system?
Researchers contributing data to the NIMH Data Archive (NDA) are responsible for ensuring their data are
deidentified and that Personally Identifiable Information (PII) is not uploaded to the NDA inside data files or
in data file names or headers. NDA requires that all data file names, and headers do not contain any
information that reveals PII. NDA provisions data to authorized users for secondary analysis and thus
masked PII may appear to secondary users as true PII. Masked PII can also obscure the presence of real PII
erroneously left unmasked within the same dataset. Examples of masked PII include names and initials of
�non-subjects, dates that do not refer to interview dates or birthdates, and any “scrambled” or falsified values
in a PII field.
NDA allows for two exceptions where identifying information clearly does not relate to research subjects
and therefore does not have to be removed prior to submission: (1) the surname of the Principal Investigator
(PI) of the research project and (2) serial numbers for devices that are not pacemakers or other items unique
to an individual.
TIP: If the answer to Question 15 is “No” (indicating the system does not contain PII), only the remaining
PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA
must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII
“permitting the physical or online contacting of a specific individual … employed [by] the Federal
Government – only need to complete the PIA Summary tab.)
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use
the Other field to identify the appropriate category of PII.
Categories:
Yes/No
Name (for purposes other than contacting
federal employees)
No
Date of Birth
No
Social Security Number (SSN)
No
Photographic Identifiers
No
Driver’s License
No
Biometric Identifiers
No
Mother’s Maiden Name
No
Vehicle Identifiers
No
Personal Mailing Address
No
Personal Phone Numbers
No
Medical Records Numbers
No
Medical Notes
No
Financial Account Information
No
Certificates
No
Legal Documents
No
Device Identifiers
Yes NDA allows for exception where identifying
information clearly does not relate to research subjects
and therefore does not have to be removed prior to
submission: serial numbers for devices that are not
pacemakers or other items unique to an individual NDA
recommends removing these values from files if feasible.
Web Uniform Resource Locator(s) (URL)
No
Personal Email Address
No
Education Records
No
Military Status
No
Employment Status
No
�Foreign Activities
No
Other
Yes – Lat / Lon data with 68% confidence, Device
ID for smart watches, Time Zone, Communication
Time (text, calls, length of call)
1 6. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated
and/or passed through. Note: If the applicable PII category is not listed, please use the other field to
identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other
is not applicable).
Categories:
Yes/No
Employees
No
Public Citizen
No
Patients
No
Business partners/contacts (Federal, state, local
agencies)
No
Vendors/Suppliers/Contractors
No
Other
Yes - Research Subjects
17. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?
No
�INFORMATION SHARING PRACTICES
1 Information Sharing Practices
18. Does the system share or disclose PII with other divisions within this agency, external agencies, or
other people or organizations outside the agency?
Yes, only the device ID and geolocation data which do not uniquely identify a research subject.
Please indicate “Yes” or “No” for each category Yes/No
below:
Name (for purposes other than contacting
federal employees)
No
Date of Birth
No
SSN
No
Photographic Identifiers
No
Driver’s License
No
Biometric Identifiers
No
Mother’s Maiden Name
No
Vehicle Identifiers
No
Personal Mailing Address
No
Personal Phone Numbers
No
Medical Records Numbers
No
Medical Notes
No
Financial Account Information
No
Certificates
No
Legal Documents
No
Device Identifiers
Yes NDA allows for exception where identifying
information clearly does not relate to research subjects
and therefore does not have to be removed prior to
submission: serial numbers for devices that are not
pacemakers or other items unique to an individual. NDA
recommends removing these values from files if feasible.
Web URLs
No
Personal Email Address
No
Education Records
No
Military Status
No
Employment Status
No
Foreign Activities
No
Other
Yes – Lat / Lon data with 68% confidence, Device
ID for smart watches, Time Zone, Communication
Time (text, calls, length of call)
�*19. If the system shares or discloses PII please specify with whom and for what purpose(s):
Whom: IRB approved investigators
Purpose: For scientific research purposes described in research proposal, approved by IRB
20. If the PII in the system is matched against PII in one or more other computer systems, are computer
data matching agreement(s) in place?
N/A
21. Is there a process in place to notify organizations or systems that are dependent upon the PII
contained in this system when major changes occur (i.e., revisions to PII, or when the system is replaced)?
N/A
22. Are individuals notified how their PII is going to be used?
N/A
22a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an
explanation.
N/A
23. Is there a complaint process in place for individuals who believe their PII has been inappropriately
obtained, used, or disclosed, or that the PII is inaccurate?
N/A
23a. If yes, please describe briefly the notification process. If no, please provide an explanation.
N/A
24. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s
integrity, availability, accuracy and relevancy?
Yes
24a. If yes, please describe briefly the review process. If no, please provide an explanation.
Access to these research data is strictly based on need-to-know by the researchers with least permissions that
do not allow modifications of data to protect the data integrity and accuracy. NDA being in AWS cloud
caters for the data availability as AWS implements availability zones for redundancy.
25. Are there rules of conduct in place for access to PII on the system?
Yes
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to
have access:
Users with access to PII
Yes/No/N/A
User
Not Applicable
Administrators
Not Applicable
Developers
Yes, NDA Staff has access to the
data
Contractors
Not Applicable
Purpose
This is for Development and
Administrative purposes.
�Other
Yes - Investigators
For scientific research purposes
described in research proposal,
approved by IRB
*26. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate
(clearly state if the information contained in the system ONLY represents federal contact data); (2) Why
and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:
NDA houses, harmonizes, and shares human-subjects data collected as part of NIH-funded projects with the
goal of accelerating progress in the research of mental health. NDA stores and shares clinical/phenotypic,
neuroimaging, genomic, and other data from hundreds of thousands of research participants. NDA is one
database infrastructure that supports efforts to make data collected by different laboratories as consistent as
possible and allow other researchers to access those data for secondary use. Some of these datasets contain
PII about research participants, such as geolocation data, device IDs, and sensor data. Research participant
data, which may include PII about those participants, is submitted by investigators through NDA if the
appropriate participant consent is provided to the research team.
*27. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals
whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have
changed since the notice at the time of the original collection); (2) Notify and obtain consent from
individuals regarding what PII is being collected from them; and (3) How the information will be used or
shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written
notice, electronic notice, etc.])
NDA does not directly obtain consent from research participants whose data is submitted to NDA.
Investigators submitting human subjects research data to NDA, and their research institution, agree that the
data are collected pursuant to an informed consent that is consistent with the data submission. Submitters
and their institutions further acknowledge that the data are collected in a manner consistent with all
applicable laws and regulations, as well as institutional policies.
�WEBSITE HOSTING PRACTICES
1 Website Hosting Practices
*28. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices
section is required to be completed regardless of the presence of PII)
Yes
Please indicate “Yes” or “No”
for each type of site below. If
the system hosts both Internet
and Intranet sites, indicate
“Yes” for “Both” only.
Yes/ No
If the system hosts an Internet
site, please enter the site URL.
Do not enter any URL(s) for
Intranet sites.
Internet
Yes
Data-archive.nimh.nih.gov /
nda.nih.gov
Intranet
Yes
Both
Yes
29. Does the system host a website that is accessible by the public and does not meet the exceptions listed
in OMB M-03-22?
Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for
websites that are accessible to the public, but provides three exceptions: (1) Websites containing information
other than "government information" as defined in OMB Circular A-130; (2) Agency intranet websites that
are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees);
and (3) National security systems defined at 40 U.S.C. 11103 as exempt from the definition of information
technology (see section 202(i) of the E-Government Act.).
Yes
30. If the website does not meet one or more of the exceptions described in Q. 29 (i.e., response to Q. 29 is
"Yes"), a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the EGovernment Act) is required. Has a website privacy policy been posted?
Yes
31. If a website privacy policy is required (i.e., response to Q. 30 is “Yes”), is the privacy policy in
machine-readable format, such as Platform for Privacy Preferences (P3P)?
Yes
31a. If no, please indicate when the website will be P3P compliant:
N/A
32. Does the website employ tracking technologies?
Yes
Please indicate “Yes”, “No”, or “N/A” for each
type of cookie below:
Yes/No/N/A
Web Bugs
No
Web Beacons
No
�Session Cookies
Yes
Persistent Cookies
No
Other
No
*33. Does the website have any information or pages directed at children under the age of thirteen?
No
33a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the
process for obtaining parental consent if any information is collected?
N/A
34. Does the website collect PII from individuals directly?
No
Please indicate “Yes” or “No” for each category
below:
Yes/No
Name (for purposes other than contacting
federal employees)
No
Date of Birth
No
SSN
No
Photographic Identifiers
No
Driver's License
No
Biometric Identifiers
No
Mother's Maiden Name
No
Vehicle Identifiers
No
Personal Mailing Address
No
Personal Phone Numbers
No
Medical Records Numbers
No
Medical Notes
No
Financial Account Information
No
Certificates
No
Legal Documents
No
Device Identifiers
No
Web URLs
No
Personal Email Address
No
Education Records
No
Military Status
No
Employment Status
No
Foreign Activities
No
�Other
No
35. Are rules of conduct in place for access to PII on the website?
N/A
36. Does the website contain links to sites external to HHS that owns and/or operates the system?
No
36a. If yes, note whether the system provides a disclaimer notice for users that follow external links to
websites not owned or operated by HHS.
�ADMINISTRATIVE CONTROLS
1 Administrative Controls
Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control
questions—terms that are used in several Federal laws when referencing security requirements.
37. Has the system been certified and accredited (C&A)?
No
37a. If yes, please indicate when the C&A was completed:
N/A
37b. If a system requires a C&A and no C&A was completed, is a C&A in progress?
Yes
38. Is there a system security plan for this system?
Yes
39. Is there a contingency (or backup) plan for the system?
Yes
40. Are files backed up regularly?
Yes
41. Are backup files stored offsite?
Yes
42. Are there user manuals for the system?
Yes
43. Have personnel (system owners, managers, operators, contractors and/or program managers) using
the system been trained and made aware of their responsibilities for protecting the information being
collected and maintained?
Yes
44. If contractors operate or use the system, do the contracts include clauses ensuring adherence to
privacy provisions and practices?
N/A
45. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?
Yes
45a. If yes, please specify method(s):
Role-based access and Least-privileged access by AWS access control.
*46. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer
to the C&A package and/or the Records Retention and Destruction section in SORN):
No
46a. If yes, please provide some detail about these policies/practices:
N/A
�TECHNICAL CONTROLS
1 Technical Controls
47. Are technical controls in place to minimize the possibility of unauthorized access, use, or
dissemination of the data in the system?
Yes
Please indicate “Yes” or “No” for each category
below:
Yes/No
User Identification
Yes
Passwords
Yes
Firewall
Yes
Virtual Private Network (VPN)
No
Encryption
No
Intrusion Detection System (IDS)
Yes
Common Access Cards (CAC)
No
Smart Cards
Yes
Biometrics
No
Public Key Infrastructure (PKI)
No
48. Is there a process in place to monitor and respond to privacy and/or security incidents?
Yes
48a. If yes, please briefly describe the process:
NIH incident response procedures
�PHYSICAL ACCESS
1 Physical Access
49. Are physical access controls in place?
Yes, Inherited from AWS cloud
Please indicate “Yes” or “No” for each category
below:
Yes/No
Guards
Yes
Identification Badges
Yes
Key Cards
Yes
Cipher Locks
No
Biometrics
No
Closed Circuit TV (CCTV)
Yes
*50. Briefly describe in detail how the PII will be secured on the system using administrative, technical,
and physical controls:
Access to the study participant PII data is role-based permission with least privilege functionality requiring
the use of identification and authenticators (NIH access credentials).
�APPROVAL/DEMOTION
1 System Information
System Name:
NIMH Data Archive - Omics and Imaging Data Store
2
PIA Reviewer Approval/Promotion or Demotion
Promotion/Demotion:
Comments:
Approval/Demotion
Point of Contact:
Date:
3
September 18, 2020
Senior Official for Privacy Approval/Promotion or Demotion
Promotion/Demotion:
Comments:
4
OPDIV Senior Official for Privacy or Designee Approval
Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature
has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the
reviewing official has endorsed it
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee
(Name and Date):
Name: __________________________________
________________________________________
Date:
Name:
Date:
5
Department Approval to Publish to the Web
Approved for web publishing
Date Published:
Publicly posted PIA URL or no PIA URL
explanation:
PIA % COMPLETE
1
PIA Completion
PIA Percentage
Complete:
PIA Missing Fields:
100.00
�
| File Type | application/pdf |
| File Title | Primavera ProSight Report |
| Author | Hermach, William |
| File Modified | 2020-09-18 |
| File Created | 2020-09-18 |