Save
|
||||
Privacy Impact Assessment Form v 1.47.4 |
||||
Status Redraft Form Number F-41701 Form Date 1/14/2020 1:17:24 PM |
||||
Question Answer |
||||
1 OPDIV: |
NIH |
|
||
2 PIA Unique Identifier: |
P-6278176-506881 |
|
||
2a Name: |
Historically Black Colleges and Universities (HBCU) tool |
|
||
General Support System (GSS) Major Application Minor Application (stand-alone) 3 The subject of this PIA is which of the following? Minor Application (child) Electronic Information Collection Unknown |
||||
3a Identify the Enterprise Performance Lifecycle Phase Implementation of the system. |
||||
3b Is this a FISMA-Reportable system? |
Yes No |
|
||
Does the system include a Website or online Yes 4 application available to and for the use of the general public? No |
||||
Agency 5 Identify the operator. Contractor |
||||
POC Title Program Analyst, OD/OALM
POC Name Rachel Kenlaw
6 Point of Contact (POC): POC Organization OD/OM/OALM POC Email [email protected] POC Phone 301.451.6827 |
||||
New 7 Is this a new or existing system? Existing |
||||
Yes 8 Does the system have Security Authorization (SA)? No |
||||
8a Date of Security Authorization |
8/8/2019 12:00:00 AM |
|
||
|
|
|
|
|
|
11 Describe the purpose of the system. |
The system will allow those with access to see what grants and contracts are available through periodic data uploads from grants.nih.gov, NIH RePORTER, beta.sam.gov, and the Federal Procurement Data System (FPDS.gov). The data uploaded from these sites will reduce the user’s reporting effort by prepopulating about 75% of the data input fields. Consolidating the upcoming grants and contracts into this system will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities. The information entered by an HBCU or a business is viewable only by that HBCU or business and the NIH Small Business Program Office (SBPO) staff. |
|
Describe the type of information the system will 12 collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements.) |
The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access |
|
Question 12 Comments |
Please specify All "Other Identifiers" stored in the system within your answer. |
|
Provide an overview of the system and describe the 13 information it will collect, maintain (store), or share, either permanently or temporarily. |
The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, |
|
Question 13 Comments |
Please Do Not be concerned if Q12 and Q13 overlap/cover information that should be included in the other response. List "All" Personal Identifiable Information collected, maintained or shared. |
|
Yes 14 Does the system collect, maintain, use or share PII? No |
||
Social Security Number Date of Birth Name Photographic Identifiers Driver's License Number Biometric Identifiers Mother's Maiden Name Vehicle Identifiers E-Mail Address Mailing Address Phone Numbers Medical Records Number Medical Notes Financial Account Info Certificates Legal Documents 15 Indicate the type of PII that the system will collect or Education Records Device Identifiers maintain. Military Status Employment Status Foreign Activities Passport Number Taxpayer ID |
||
|
|
|
|
Question 15 Comments |
Per Q12, please specify and list "Other Identifiers" in the free text. |
|
Employees Public Citizens Indicate the categories of individuals about whom PII Business Partners/Contacts (Federal, state, local agencies) 16 is collected, maintained or shared. Vendors/Suppliers/Contractors Patients Other |
||
Question 16 Comments |
Per Q11, "System will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities", whom are considered public citizens, please also select "Public Citizens" in your answer. |
|
17 How many individuals' PII is in the system? <100 |
||
18 For what primary purpose is the PII used? Users accessing the system will be shown specific features. Access based on their role. |
||
19 Describe the secondary uses for which the PII will be used (e.g. testing, training or research) |
n/a |
|
20 Describe the function of the SSN. n/a |
||
20a Cite the legal authority to use the SSN. n/a |
||
21 Identify legal authorities governing information use n/a and disclosure specific to the system and program. |
||
Are records on the system retrieved by one or more Yes 22 PII data elements? No |
||
|
Directly from an individual about whom the information pertains
Identify the sources of PII in the system.
Government Sources
Non-Government Sources
In-Person Hard Copy: Mail/Fax
Email Online Other
Within the OPDIV Other HHS OPDIV State/Local/Tribal
Foreign Other Federal Entities
Other
Members of the Public
23a Identify the OMB information collection approval number and expiration date.
Commercial Data Broker Public Media/Internet
Private Sector
n/a
Is the PII shared with other organizations?
Yes No
Within HHS
24a
Identify with whom the PII is shared or disclosed and for what purpose.
Other Federal Agency/Agencies
State or Local Agency/Agencies
Private Sector
24b
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).
To find the right partners to apply for the funding opportunities
n/a
24c Describe the procedures for accounting for disclosures
The application
shows the
'Terms and
Conditions' banner
that informs
the user
that personal
information is
collected.
No Disclosures
that their personal information will be collected. If no prior notice is given, explain the reason.
Is the submission of PII by individuals voluntary or mandatory?
Voluntary Mandatory
|
|
|
|||
Describe the method for individuals to opt-out of the 27 collection or use of their PII. If there is no option to object to the information collection, provide a reason. |
There is no opt-out method for users since their email address is needed for authentication purposes. There is no collection of PII from the general public. |
|
|||
Describe the process to notify and obtain consent from the individuals whose PII is in the system when No major changes are expected to occur that would impact major changes occur to the system (e.g., disclosure the use of the email address. However, if changes were to 28 and/or data uses have changed since the notice at occur, an email will be sent to the users to mention the the time of original collection). Alternatively, describe changes and either obtain their consent or let them opt out of why they cannot be notified or have their consent the system. obtained. |
|||||
Describe the process in place to resolve an individual's concerns when they believe their PII has In the event if the user has any concern that their data is 29 been inappropriately obtained, used, or disclosed, or inappropriately obtained, used, or disclosed, they have the that the PII is inaccurate. If no process exists, explain option to use the 'Contact Us' page to contact the OALM Staff. why not. |
|||||
Describe the process in place for periodic reviews of The Personally Identifiable Information (PII) data within OALM 30 PII contained in the system to ensure the data's HBCU Tool will be backed up every day to ensure the data integrity, availability, accuracy and relevancy. If no availability and will be reviewed periodically to ensure the processes are in place, explain why not. integrity of the data. |
|||||
31 Identify who will have access to the PII in the system and the reason why they require access. |
Users |
To find partnership opportunities |
|
||
Administrators |
Administrators have access to the data and the main focus is to backup and restore data. |
||||
Developers |
|
||||
Contractors |
Contractors maintaining the system |
||||
Others |
|
||||
Question 31 Comments |
Please select "Contractors" if any type of contractors will have access to the PII in the system. Please specify if the contractors are direct contractors. Direct contractors are contractors that operate on behalf of the agency and use the agency's credentials when doing so. |
|
|||
The System Administrators are required to read the NIH IT Describe the procedures in place to determine which General Rules of Behavior (https://ocio.nih.gov/aboutus/ 32 system users (administrators, developers, publicinfosecurity/securitytraining/Pages/ contractors, etc.) may access PII. NIH_IT_GeneralRulesofBehavior.aspx) document that details General Security practices, data privacy and protection. |
|||||
Describe the methods in place to allow those with OALM HBCU Tool have role-based authorization to ensure least 33 access to PII to only access the minimum amount of privilege access to the data in the system. An individual user’s information necessary to perform their job. access in terms of read/write/review within OALM HBCU Tool is controlled by very strict role-based control. |
|||||
Identify training and awareness provided to personnel (system owners, managers, operators, 34 contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. |
The NIH Security Awareness Training course is used to satisfy this requirement. According to NIH policy, all personnel who use NIH applications must attend security awareness training every year. There are four categories of mandatory IT training (Information Security, Counterintelligence, Privacy Awareness, and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials. |
|
|||
|
|
|
|
|
|
Describe training system users receive (above and 35 beyond general security and privacy awareness training). |
n/a |
|
Do contracts include Federal Acquisition Regulation Yes 36 and other appropriate clauses ensuring adherence to privacy provisions and practices? No |
||
Records are maintained within the HBCU pre-solicitation portal for a time of no less than six years after a password is altered or an user account is terminated in accordance with NARA record retention schedule: 3.2.031, System access records; Systems requiring special accountability for access; DAA- GRS-2013-0006-0004 Records are maintained within the pre-solicitation portal for one year after the system is superseded by a new iteration or when no longer needed for agency/Information Technology (IT) administrative purposes to ensure a continuity of security controls throughout the life of the system in accordance with Describe the process and guidelines in place with NARA record retention schedule: 37 regard to the retention and destruction of PII. Cite 3.2.010, Systems and data security records: DAA- specific records retention schedules. GRS-2013-0006-0001
General Records Schedule 3.2, Information Systems Security Records, Item 010, Systems and data security records. Disposition Authority DAA-GRS-2013-0006-0002. Disposition: Temporary: Destroy 3 year(s) after all necessary follow-up actions have been completed
General Records Schedule 3.2, Information Systems Security Records, Item 030, System access records. Disposition Authority DAA-GRS-2013-0006-0003. Disposition: Temporary. Destroy when business use ceases. |
||
Administrative Controls: & Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain Describe, briefly but with specificity, how the PII will integrity of data. 38 be secured in the system using administrative, technical, and physical controls. Physical Controls: The servers reside in the Center for Information Technology (CIT) Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room.
The System is hosted at NIH OIT within a secure Windows environment and can only be accessed by Administrators with authentication information. Technical controls such as firewall is in place to protect from unauthorized intrusions. |
||
39 Identify the publicly-available URL: https://oamp.hbcu.od.nih.gov |
||
Yes 40 Does the website have a posted privacy notice? No |
||
|
|
Is the privacy policy available in a machine-readable Yes 40a format? No |
Does the website use web measurement and Yes 41 customization technology? No |
Does the website have any information or pages Yes 42 directed at children under the age of thirteen? No |
Does the website contain links to non- federal Yes 43 government websites external to HHS? No |
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy. |
Reviewer Questions Answer |
Yes 1 Are the questions on the PIA answered correctly, accurately, and completely? No |
Reviewer Notes |
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose Yes 2 justified by appropriate legal authorities? No |
Reviewer Notes |
Do system owners demonstrate appropriate understanding of the impact of the PII in the Yes 3 system and provide sufficient oversight to employees and contractors? No |
Reviewer Notes |
Yes 4 Does the PIA appropriately describe the PII quality and integrity of the data? No |
Reviewer Notes |
Yes 5 Is this a candidate for PII minimization? No |
Reviewer Notes |
Yes 6 Does the PIA accurately identify data retention procedures and records retention schedules? No |
Reviewer Notes |
Yes 7 Are the individuals whose PII is in the system provided appropriate participation? No |
Reviewer Notes |
|
Reviewer Questions Answer
Yes
8 Does the PIA raise any concerns about the security of the PII?
No
Reviewer
Notes
9
Reviewer
Notes
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?
Yes No
Yes
Is the PII appropriately limited for use internally and with third parties?
Reviewer
Notes
Does the PIA demonstrate compliance with all Web privacy requirements?
Reviewer
Notes
Were any changes made to the system because of the completion of this PIA?
No
Yes No
Yes No
Reviewer
Notes
General Comments
This component is under the OD GSS, whose Universal Unique Identifier (UUID) is: 2092B382-A4F2-4FD5- A93E-1857E18B771E.
OPDIV Senior Official for Privacy Signature
HHS Senior Agency Official for Privacy
Page
File Type | application/zip |
File Modified | 0000-00-00 |
File Created | 2021-01-13 |