Pia

PIA Historically Black Colleges and Universities HBCU tool 1-14-2020 (002).docx

Collection of grant and contract data that may be of interest to Historically Black Colleges and Universities (HBCUs) and small businesses (OD/OALM)

PIA

OMB: 0925-0767

Document [zip]
Download: zip | pdf

Save

Shape14


Privacy Impact Assessment Form

v 1.47.4

Status Redraft Form Number F-41701 Form Date 1/14/2020 1:17:24 PM

Question Answer

1 OPDIV:

NIH


2 PIA Unique Identifier:

P-6278176-506881



2a Name:


Historically Black Colleges and Universities (HBCU) tool


General Support System (GSS) Major Application

Minor Application (stand-alone)

3 The subject of this PIA is which of the following?

Minor Application (child)

Electronic Information Collection Unknown

3a Identify the Enterprise Performance Lifecycle Phase Implementation of the system.


3b Is this a FISMA-Reportable system?

Yes No


Does the system include a Website or online Yes

4 application available to and for the use of the general

public? No

Agency

5 Identify the operator.

Contractor

POC Title Program Analyst, OD/OALM


POC Name Rachel Kenlaw


6 Point of Contact (POC): POC Organization OD/OM/OALM

POC Email [email protected]

POC Phone 301.451.6827

New

7 Is this a new or existing system?

Existing

Yes

8 Does the system have Security Authorization (SA)?

No

8a Date of Security Authorization


8/8/2019 12:00:00 AM





Shape1 Shape2 Shape3 Shape4 Shape5 Shape6 Shape7 Shape8 Shape9 Shape10 Shape11 Shape12 Shape13











11 Describe the purpose of the system.

The system will allow those with access to see what grants and contracts are available through periodic data uploads from grants.nih.gov, NIH RePORTER, beta.sam.gov, and the Federal Procurement Data System (FPDS.gov). The data uploaded from these sites will reduce the user’s reporting effort by prepopulating about 75% of the data input fields.

Consolidating the upcoming grants and contracts into this system will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities. The information entered by an HBCU or a business is viewable only by that HBCU or business and the NIH Small Business Program Office (SBPO) staff.


Describe the type of information the system will

12 collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask

about the specific data elements.)

The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access



Question 12 Comments

Please specify All "Other Identifiers" stored in the system within your answer.


Provide an overview of the system and describe the

13 information it will collect, maintain (store), or share, either permanently or temporarily.

The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However,




Question 13 Comments

Please Do Not be concerned if Q12 and Q13 overlap/cover information that should be included in the other response. List "All" Personal Identifiable Information collected, maintained or shared.


Yes

14 Does the system collect, maintain, use or share PII?

No

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

15 Indicate the type of PII that the system will collect or Education Records Device Identifiers maintain.

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID


Shape15 Shape16 Shape17 Shape18 Shape19 Shape20





Question 15 Comments

Per Q12, please specify and list "Other Identifiers" in the free text.


Employees Public Citizens

Indicate the categories of individuals about whom PII Business Partners/Contacts (Federal, state, local agencies)

16 is collected, maintained or shared. Vendors/Suppliers/Contractors

Patients

Other



Question 16 Comments

Per Q11, "System will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities", whom are considered public citizens, please also select "Public Citizens" in your answer.


17 How many individuals' PII is in the system? <100

18 For what primary purpose is the PII used? Users accessing the system will be shown specific features.

Access based on their role.

19 Describe the secondary uses for which the PII will be used (e.g. testing, training or research)


n/a



20 Describe the function of the SSN. n/a


20a Cite the legal authority to use the SSN. n/a

21 Identify legal authorities governing information use n/a and disclosure specific to the system and program.

Are records on the system retrieved by one or more Yes

22 PII data elements? No


Shape26 Shape27 Shape28 Shape29 Shape21 Shape22 Shape23 Shape24 Shape25 Shape30



Directly from an individual about whom the information pertains






  1. Identify the sources of PII in the system.







Government Sources








Non-Government Sources

In-Person Hard Copy: Mail/Fax

Email Online Other


Within the OPDIV Other HHS OPDIV State/Local/Tribal

Foreign Other Federal Entities

Other


Members of the Public








23a Identify the OMB information collection approval number and expiration date.

Commercial Data Broker Public Media/Internet

Private Sector


n/a

Other



  1. Is the PII shared with other organizations?

Yes No

Within HHS





24a




Identify with whom the PII is shared or disclosed and for what purpose.

Other Federal Agency/Agencies

State or Local Agency/Agencies


Private Sector







24b




Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).

To find the right partners to apply for the funding opportunities



n/a



24c Describe the procedures for accounting for disclosures

The application shows the 'Terms and Conditions' banner that informs the user that personal information is collected.


No Disclosures

Describe the process in place to notify individuals

  1. Shape31 that their personal information will be collected. If no prior notice is given, explain the reason.

  2. Is the submission of PII by individuals voluntary or mandatory?



Voluntary Mandatory




Describe the method for individuals to opt-out of the

27 collection or use of their PII. If there is no option to object to the information collection, provide a

reason.

There is no opt-out method for users since their email address is needed for authentication purposes. There is no collection of PII from the general public.


Describe the process to notify and obtain consent

from the individuals whose PII is in the system when No major changes are expected to occur that would impact major changes occur to the system (e.g., disclosure the use of the email address. However, if changes were to

28 and/or data uses have changed since the notice at occur, an email will be sent to the users to mention the

the time of original collection). Alternatively, describe changes and either obtain their consent or let them opt out of why they cannot be notified or have their consent the system.

obtained.

Describe the process in place to resolve an

individual's concerns when they believe their PII has In the event if the user has any concern that their data is

29 been inappropriately obtained, used, or disclosed, or inappropriately obtained, used, or disclosed, they have the that the PII is inaccurate. If no process exists, explain option to use the 'Contact Us' page to contact the OALM Staff. why not.

Describe the process in place for periodic reviews of The Personally Identifiable Information (PII) data within OALM

30 PII contained in the system to ensure the data's HBCU Tool will be backed up every day to ensure the data integrity, availability, accuracy and relevancy. If no availability and will be reviewed periodically to ensure the

processes are in place, explain why not. integrity of the data.






31 Identify who will have access to the PII in the system and the reason why they require access.

Users

To find partnership opportunities



Administrators

Administrators have access to the data and the main focus is to backup and restore data.

Developers


Shape32

Contractors

Contractors maintaining the system

Others




Question 31 Comments

Please select "Contractors" if any type of contractors will have access to the PII in the system. Please specify if the contractors are direct contractors. Direct contractors are contractors that operate on behalf of the agency and use the agency's credentials when doing so.


The System Administrators are required to read the NIH IT Describe the procedures in place to determine which General Rules of Behavior (https://ocio.nih.gov/aboutus/

32 system users (administrators, developers, publicinfosecurity/securitytraining/Pages/

contractors, etc.) may access PII. NIH_IT_GeneralRulesofBehavior.aspx) document that details

General Security practices, data privacy and protection.

Describe the methods in place to allow those with OALM HBCU Tool have role-based authorization to ensure least

33 access to PII to only access the minimum amount of privilege access to the data in the system. An individual user’s

information necessary to perform their job. access in terms of read/write/review within OALM HBCU Tool is

controlled by very strict role-based control.

Identify training and awareness provided to personnel (system owners, managers, operators,

34 contractors and/or program managers) using the system to make them aware of their responsibilities

for protecting the information being collected and maintained.

The NIH Security Awareness Training course is used to satisfy this requirement. According to NIH policy, all personnel who use NIH applications must attend security awareness training every year. There are four categories of mandatory IT training (Information Security, Counterintelligence, Privacy Awareness, and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials.





Shape33 Shape34 Shape35 Shape43 Shape36 Shape37 Shape38 Shape39 Shape40 Shape41 Shape42





Describe training system users receive (above and

35 beyond general security and privacy awareness training).


n/a


Do contracts include Federal Acquisition Regulation Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? No

Records are maintained within the HBCU pre-solicitation portal for a time of no less than six years after a password is altered or an user account is terminated in accordance with NARA record retention schedule: 3.2.031, System access records; Systems requiring special accountability for access; DAA-

GRS-2013-0006-0004

Records are maintained within the pre-solicitation portal for one year after the system is superseded by a new iteration or when no longer needed for agency/Information Technology (IT) administrative purposes to ensure a continuity of security controls throughout the life of the system in accordance with

Describe the process and guidelines in place with NARA record retention schedule:

37 regard to the retention and destruction of PII. Cite 3.2.010, Systems and data security records: DAA- specific records retention schedules. GRS-2013-0006-0001


General Records Schedule 3.2, Information Systems Security Records, Item 010, Systems and data security records.

Disposition Authority DAA-GRS-2013-0006-0002. Disposition: Temporary: Destroy 3 year(s) after all necessary follow-up actions have been completed


General Records Schedule 3.2, Information Systems Security Records, Item 030, System access records. Disposition Authority DAA-GRS-2013-0006-0003. Disposition: Temporary. Destroy when business use ceases.

Administrative Controls: &

Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain

Describe, briefly but with specificity, how the PII will integrity of data.

38 be secured in the system using administrative,

technical, and physical controls. Physical Controls: The servers reside in the Center for

Information Technology (CIT) Computer Room where policies

and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room.


The System is hosted at NIH OIT within a secure Windows environment and can only be accessed by Administrators with authentication information. Technical controls such as firewall is in place to protect from unauthorized intrusions.

39 Identify the publicly-available URL: https://oamp.hbcu.od.nih.gov

Yes

40 Does the website have a posted privacy notice?

No


Shape45 Shape46 Shape47 Shape44 Shape48



Is the privacy policy available in a machine-readable Yes 40a format? No

Does the website use web measurement and Yes

41 customization technology? No

Does the website have any information or pages Yes

42 directed at children under the age of thirteen? No

Does the website contain links to non- federal Yes

43 government websites external to HHS? No



REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose Yes

2 justified by appropriate legal authorities? No

Reviewer

Notes

Do system owners demonstrate appropriate understanding of the impact of the PII in the Yes

3 system and provide sufficient oversight to employees and contractors? No

Reviewer

Notes

Yes

4 Does the PIA appropriately describe the PII quality and integrity of the data?

No

Reviewer

Notes

Yes

5 Is this a candidate for PII minimization?

No

Reviewer

Notes

Yes

6 Does the PIA accurately identify data retention procedures and records retention schedules?

No

Reviewer

Notes

Yes

7 Are the individuals whose PII is in the system provided appropriate participation?

No

Reviewer

Notes


Shape49 Shape50 Shape51 Shape52 Shape53 Shape54 Shape55 Shape56 Shape57 Shape58 Shape59


Shape60 Reviewer Questions Answer

Yes

8 Does the PIA raise any concerns about the security of the PII?

No

Reviewer

Notes


9


Reviewer

Notes

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?

Yes No



Yes

  1. Is the PII appropriately limited for use internally and with third parties?


Reviewer

Notes


  1. Does the PIA demonstrate compliance with all Web privacy requirements?


Reviewer

Notes


  1. Were any changes made to the system because of the completion of this PIA?

No




Yes No




Yes No

Reviewer

Notes




General Comments


This component is under the OD GSS, whose Universal Unique Identifier (UUID) is: 2092B382-A4F2-4FD5- A93E-1857E18B771E.





OPDIV Senior Official for Privacy Signature

HHS Senior Agency Official for Privacy

Page 1 of 8


File Typeapplication/zip
File Modified0000-00-00
File Created2021-01-13

© 2024 OMB.report | Privacy Policy