Pia

A_Privacy Impact Assessment-NIH NIMH NDA_09182020.pdf

NDAR Data Access Request (NIMH)

PIA

OMB: 0925-0667

Document [pdf]
Download: pdf | pdf
PRIVACY IMPACT ASSESSMENT (PIA)
FOR

NATIONAL INSTITUTE OF MENTAL HEALTH
DATA ARCHIVES (NDA)

September 18th, 2020

Introduction
The E-Government Act of 2002, Section 208, establishes the requirement for agencies to
conduct privacy impact assessments (PIAs) for electronic information systems and
collections. The assessment is a practical method of evaluating privacy in information
systems and collections, and documented assurance that privacy issues have b een identified
and adequately addressed.
The process is designed to guide NIH system owners and developers in assessing privacy
during the early stages of development and throughout the System Development Life Cycle
(SDLC), to determine how their project will affect the privacy of individuals and whether
the project objectives can be met while also protecting privacy.
This guide provides a framework for conducting privacy impact assessments and a
methodology for assessing how Personally Identifiable Information (PII) is to be managed
in information systems within the NIH.
PIA Overview
Conducting a PIA ensures compliance with laws and regulations governing privacy and
demonstrates the NIH’s commitment to protect the privacy of any personal information we
collect, store, retrieve, use and share. It is a comprehensive analysis of how the NIH’s
electronic information systems and collections handle Personally Identifiable Information
(PII). The objective of the PIA is to systematically identify the risks and potential effects of
collecting, maintaining, and disseminating PII and to examine and evaluate alternative
processes for handling information to mitigate potential privacy risks.
Personally Identifiable Information (PII)
PII is information in an IT system or online collection that directly identifies an individual
(e.g., name, address, social security number or other identifying number or code,
telephone number, email address, etc.) In addition, PII may be comprised of information
by which an agency intends to identify specific individuals in conjunction with other data
elements, i.e., indirect identification. These data elements may also include gender, race,
birth date, geographic indicator and other descriptors.

HHS Privacy Impact Assessment (Form) / NIH NIMH Data Archive System

PIA SUMMARY
1
The following required questions with an asterisk (*) represent the information necessary to complete the
PIA Summary for transmission to the Office of Management and Budget (OMB) and public posting in
accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If
the system hosts a website, the Website Hosting Practices section is required to be completed regardless of
the presence of personally identifiable information (PII). If no PII is contained in the system, please answer
questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will
authorize the PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be
completed prior to signature and promotion.
2

Summary of PIA Required Questions

*Is this a new PIA?
No, This is an existing system
If this is an existing PIA, please provide a reason for revision:
FIPS-199 categorization has been updated to FISMA Moderate
*1. Date of this Submission:
September 18, 2020
*2. OPDIV Name:
NIH
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.13 is Yes, a SORN number is
required for Q.4):
N/A
*5. OMB Information Collection Approval Number:
N/A
*6. Other Identifying Number(s):
N/A
*7. System Name (Align with system item name):
National Institute of Mental Health Data Archive (NDA)
*8. System Point of Contact (POC). The System POC is the person to whom questions about the system
and the responses to this PIA may be addressed:
Point of Contact Information
System POC Name

Gurpreet Panjrath –
[email protected]

202.849.1158
*9. Provide an overview of the system:
NDA is a collection of information systems supporting the full range of brain and mental health research activities. It
provides infrastructure for sharing research data, tools, methods, and analyses enabling collaborative science
and discovery. De-identified human subject’s data, harmonized to a common standard, are made available to
qualified researchers. The NDA mission is to accelerate scientific research and discovery through data
sharing, data harmonization, and the reporting of research results.
*10. Indicate if the system is new or an existing one being modified:
NDA is an existing system being modified
*11. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any
database(s), record(s), file(s) or website(s) hosted by this system?
Yes
TIP: If the answer to Question 11 is “No” (indicating the system does not contain PII), only the remaining
PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA
must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII
“permitting the physical or online contacting of a specific individual … employed [by] the Federal
Government – only need to complete the PIA Summary tab.)
11a. Is this a GSS PIA, included for A&A purposes only, with no ownership of underlying application
data? If the response to Q.11a is Yes, the response to Q.11 should be No and only the PIA Summary must
be completed.
No
*12. Are records on the system retrieved by 1 or more PII data elements?
No
*13. Is the system subject to the Privacy Act? (If the response to Q.12 is Yes, the response to Q.13 must be
Yes and a SORN number is required for Q.4)
No
*14. If the system shares or discloses PII, please specify with whom and for what purpose(s):
All NDA geolocation, sensor and device ID data are de-identified prior to being shared or disclosed to the
researchers with the IRB approval.

*15. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate
(clearly state if the information contained in the system ONLY represents federal contact data); (2) Why
and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:
The investigators collect the following information from the research participants. NDA then collects these
data from the investigators. NDA maintains, disseminates and /or made available these data to researchers
with a need-to-know privileges and permissions:
1.
• Study ID
• Participant ID
• Sensor type
• Device OS type
• Device IDs (smart watches)
• Timestamp (date and time) data

• Latitude, longitude, and altitude coordinates (with 68% confidence)
• Message type (SMS, MMS, and phone)
• Address (hashes of phone number or contact)
• Communication direction (incoming, outgoing or missed)
• Communication duration
• De-identified Scientific Research Data (OMICS and Bioassay data) from Study Investigators.
2. The information being collected are used for research and studies to create derived variables using
published analysis methods.
3. The information being collected are sensitive data of the participants, however they do not uniquely
identify a participant hence these data do not contain PII.
4. Participation in the study and for that matter data collection is voluntary.
*16. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals
whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have
changed since the notice at the time of the original collection); (2) Notify and obtain consent from
individuals regarding what PII is being collected from them; and (3) How the information will be used or
shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written
notice, electronic notice, etc.]):
NDA does not directly obtain consent from research participants whose data is submitted to NDA.
Investigators submitting human subjects research data to NDA, and their research institution, agree that the
data are collected pursuant to an informed consent that is consistent with the data submission and used for
health research purposes. Submitters and their institutions further acknowledge that the data are collected in
a manner consistent with all applicable laws and regulations, as well as institutional policies.
*17. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices
section is required to be completed regardless of the presence of PII)
Yes
*18. Does the website have any information or pages directed at children under the age of thirteen?
No
*19. Are there policies or guidelines in place with regards to the retention and destruction of PII? (Refer
to the A&A package and/or the Records Retention and Destruction section in SORN)
N/A
*20. Briefly describe in detail how the PII will be secured on the system using administrative, technical,
and physical controls:
Access to the study participant PII data is role-based permission with least privilege functionality requiring
the use of identification and authenticators (NIH access credentials).

PIA REQUIRED INFORMATION
1 HHS Privacy Impact Assessment (PIA)
The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of
PII, what is done with that information, and how that information is protected. Systems with PII are subject
to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act
Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act.
Respective Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy
Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to
the administrative, technical, and physical controls of the system. Please note that answers to questions with
an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly
available in accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible.
2

General Information

*Is this a new PIA?
No
If this is an existing PIA, please provide a reason for revision:
FIPS-199 Categorization for the system changed to FISMA Moderate.
*1. Date of this Submission:
September 18 2020
*2. OPDIV Name:
NIH
3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the
System Inventory form, UPI table):
149C0961-9C43-42E7-AEEC-39BFD537CB71
*4. OMB Information Collection Approval Number:
N/A
4a. OMB Collection Approval Number Expiration Date:
N/A
*5. Other Identifying Number(s):
N/A
6. System Location: (OPDIV or contractor office building, room, city, and state)
System Location:
OPDIV or contractor office building

Amazon Cloud

Room

N/A

City

N/A

State

N/A

*7. System Point of Contact (POC). The System POC is the person to whom questions about the system
and the responses to this PIA may be addressed:
Point of Contact Information
POC Name

Gurpreet Panjrath

The following information will not be made publicly available:
POC Title

NDA Project Manager

POC Organization

HHS/NIH/NIMH

POC Phone

202.849.1158

POC Email

[email protected]

*8. Provide an overview of the system: (Note: The System Inventory form can provide additional
information for child dependencies if the system is a GSS)
Funded by the National Institutes of Health, the National Institute of Mental Health Data Archive (NDA) is a
single infrastructure that was initially created through the integration of a set of research data repositories
including the National Database for Autism Research (NDAR), the Research Domain Criteria Database
(RDoCdb), the National Database for Clinical Trials related to Mental Illness (NDCT), and the NIH
Pediatric MRI Repository (PedsMRI). The NDA infrastructure was established to support autism research,
but has grown into an informatics platform that facilitates data sharing across all of mental health and other
research communities, making data available from each of these repositories combined into a single resource
with a single process for gaining access to all shared data.

SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION
1 System Characterization and Data Configuration
9. Does HHS own the system?
Yes, NIH owns NDA but is hosted in Amazon AWS

9a. If no, identify the system owner:
N/A
10. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No)
No
11. If no, identify the system operator:
N/A
12. Identify the life-cycle phase of this system:
The system is in Production
13. Have any of the following major changes occurred to the system since the PIA was last submitted?
Please indicate “Yes” or “No” for each category
below:

Yes/No

Conversions

No

Anonymous to Non-Anonymous

No

Significant System Management Changes

No

Significant Merging

No

New Public Access

No

Commercial Sources

No

New Interagency Uses

No

Internal Flow or Collection

No

Alteration in Character of Data

No

14. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or
Minor Application (stand-alone)?
Minor Application (child)
*15. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any
database(s), record(s), file(s) or website(s) hosted by this system?
Researchers contributing data to the NIMH Data Archive (NDA) are responsible for ensuring their data are
deidentified and that Personally Identifiable Information (PII) is not uploaded to the NDA inside data files or
in data file names or headers. NDA requires that all data file names, and headers do not contain any
information that reveals PII. NDA provisions data to authorized users for secondary analysis and thus
masked PII may appear to secondary users as true PII. Masked PII can also obscure the presence of real PII
erroneously left unmasked within the same dataset. Examples of masked PII include names and initials of

non-subjects, dates that do not refer to interview dates or birthdates, and any “scrambled” or falsified values
in a PII field.
NDA allows for two exceptions where identifying information clearly does not relate to research subjects
and therefore does not have to be removed prior to submission: (1) the surname of the Principal Investigator
(PI) of the research project and (2) serial numbers for devices that are not pacemakers or other items unique
to an individual.
TIP: If the answer to Question 15 is “No” (indicating the system does not contain PII), only the remaining
PIA Summary tab questions need to be completed and submitted. If the system does contain PII, the full PIA
must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect PII
“permitting the physical or online contacting of a specific individual … employed [by] the Federal
Government – only need to complete the PIA Summary tab.)
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use
the Other field to identify the appropriate category of PII.
Categories:

Yes/No

Name (for purposes other than contacting
federal employees)

No

Date of Birth

No

Social Security Number (SSN)

No

Photographic Identifiers

No

Driver’s License

No

Biometric Identifiers

No

Mother’s Maiden Name

No

Vehicle Identifiers

No

Personal Mailing Address

No

Personal Phone Numbers

No

Medical Records Numbers

No

Medical Notes

No

Financial Account Information

No

Certificates

No

Legal Documents

No

Device Identifiers

Yes NDA allows for exception where identifying
information clearly does not relate to research subjects
and therefore does not have to be removed prior to
submission: serial numbers for devices that are not
pacemakers or other items unique to an individual NDA
recommends removing these values from files if feasible.

Web Uniform Resource Locator(s) (URL)

No

Personal Email Address

No

Education Records

No

Military Status

No

Employment Status

No

Foreign Activities

No

Other

Yes – Lat / Lon data with 68% confidence, Device
ID for smart watches, Time Zone, Communication
Time (text, calls, length of call)

1 6. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated

and/or passed through. Note: If the applicable PII category is not listed, please use the other field to
identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other
is not applicable).
Categories:

Yes/No

Employees

No

Public Citizen

No

Patients

No

Business partners/contacts (Federal, state, local
agencies)

No

Vendors/Suppliers/Contractors

No

Other

Yes - Research Subjects

17. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?
No

INFORMATION SHARING PRACTICES
1 Information Sharing Practices
18. Does the system share or disclose PII with other divisions within this agency, external agencies, or
other people or organizations outside the agency?
Yes, only the device ID and geolocation data which do not uniquely identify a research subject.
Please indicate “Yes” or “No” for each category Yes/No
below:
Name (for purposes other than contacting
federal employees)

No

Date of Birth

No

SSN

No

Photographic Identifiers

No

Driver’s License

No

Biometric Identifiers

No

Mother’s Maiden Name

No

Vehicle Identifiers

No

Personal Mailing Address

No

Personal Phone Numbers

No

Medical Records Numbers

No

Medical Notes

No

Financial Account Information

No

Certificates

No

Legal Documents

No

Device Identifiers

Yes NDA allows for exception where identifying
information clearly does not relate to research subjects
and therefore does not have to be removed prior to
submission: serial numbers for devices that are not
pacemakers or other items unique to an individual. NDA
recommends removing these values from files if feasible.

Web URLs

No

Personal Email Address

No

Education Records

No

Military Status

No

Employment Status

No

Foreign Activities

No

Other

Yes – Lat / Lon data with 68% confidence, Device
ID for smart watches, Time Zone, Communication
Time (text, calls, length of call)

*19. If the system shares or discloses PII please specify with whom and for what purpose(s):
Whom: IRB approved investigators
Purpose: For scientific research purposes described in research proposal, approved by IRB
20. If the PII in the system is matched against PII in one or more other computer systems, are computer
data matching agreement(s) in place?
N/A

21. Is there a process in place to notify organizations or systems that are dependent upon the PII
contained in this system when major changes occur (i.e., revisions to PII, or when the system is replaced)?
N/A

22. Are individuals notified how their PII is going to be used?
N/A

22a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an
explanation.
N/A
23. Is there a complaint process in place for individuals who believe their PII has been inappropriately
obtained, used, or disclosed, or that the PII is inaccurate?
N/A

23a. If yes, please describe briefly the notification process. If no, please provide an explanation.
N/A
24. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s
integrity, availability, accuracy and relevancy?
Yes
24a. If yes, please describe briefly the review process. If no, please provide an explanation.
Access to these research data is strictly based on need-to-know by the researchers with least permissions that
do not allow modifications of data to protect the data integrity and accuracy. NDA being in AWS cloud
caters for the data availability as AWS implements availability zones for redundancy.
25. Are there rules of conduct in place for access to PII on the system?
Yes
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to
have access:
Users with access to PII

Yes/No/N/A

User

Not Applicable

Administrators

Not Applicable

Developers

Yes, NDA Staff has access to the
data

Contractors

Not Applicable

Purpose

This is for Development and
Administrative purposes.

Other

Yes - Investigators

For scientific research purposes
described in research proposal,
approved by IRB

*26. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate
(clearly state if the information contained in the system ONLY represents federal contact data); (2) Why
and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:
NDA houses, harmonizes, and shares human-subjects data collected as part of NIH-funded projects with the
goal of accelerating progress in the research of mental health. NDA stores and shares clinical/phenotypic,
neuroimaging, genomic, and other data from hundreds of thousands of research participants. NDA is one
database infrastructure that supports efforts to make data collected by different laboratories as consistent as
possible and allow other researchers to access those data for secondary use. Some of these datasets contain
PII about research participants, such as geolocation data, device IDs, and sensor data. Research participant
data, which may include PII about those participants, is submitted by investigators through NDA if the
appropriate participant consent is provided to the research team.
*27. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals
whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have
changed since the notice at the time of the original collection); (2) Notify and obtain consent from
individuals regarding what PII is being collected from them; and (3) How the information will be used or
shared. (Note: Please describe in what format individuals will be given notice of consent [e.g., written
notice, electronic notice, etc.])
NDA does not directly obtain consent from research participants whose data is submitted to NDA.
Investigators submitting human subjects research data to NDA, and their research institution, agree that the
data are collected pursuant to an informed consent that is consistent with the data submission. Submitters
and their institutions further acknowledge that the data are collected in a manner consistent with all
applicable laws and regulations, as well as institutional policies.

WEBSITE HOSTING PRACTICES
1 Website Hosting Practices
*28. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices
section is required to be completed regardless of the presence of PII)
Yes
Please indicate “Yes” or “No”
for each type of site below. If
the system hosts both Internet
and Intranet sites, indicate
“Yes” for “Both” only.

Yes/ No

If the system hosts an Internet
site, please enter the site URL.
Do not enter any URL(s) for
Intranet sites.

Internet

Yes

Data-archive.nimh.nih.gov /
nda.nih.gov

Intranet

Yes

Both

Yes

29. Does the system host a website that is accessible by the public and does not meet the exceptions listed
in OMB M-03-22?
Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for
websites that are accessible to the public, but provides three exceptions: (1) Websites containing information
other than "government information" as defined in OMB Circular A-130; (2) Agency intranet websites that
are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees);
and (3) National security systems defined at 40 U.S.C. 11103 as exempt from the definition of information
technology (see section 202(i) of the E-Government Act.).
Yes
30. If the website does not meet one or more of the exceptions described in Q. 29 (i.e., response to Q. 29 is
"Yes"), a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the EGovernment Act) is required. Has a website privacy policy been posted?
Yes
31. If a website privacy policy is required (i.e., response to Q. 30 is “Yes”), is the privacy policy in
machine-readable format, such as Platform for Privacy Preferences (P3P)?
Yes
31a. If no, please indicate when the website will be P3P compliant:
N/A
32. Does the website employ tracking technologies?
Yes
Please indicate “Yes”, “No”, or “N/A” for each
type of cookie below:

Yes/No/N/A

Web Bugs

No

Web Beacons

No

Session Cookies

Yes

Persistent Cookies

No

Other

No

*33. Does the website have any information or pages directed at children under the age of thirteen?
No
33a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the
process for obtaining parental consent if any information is collected?
N/A
34. Does the website collect PII from individuals directly?
No
Please indicate “Yes” or “No” for each category
below:

Yes/No

Name (for purposes other than contacting
federal employees)

No

Date of Birth

No

SSN

No

Photographic Identifiers

No

Driver's License

No

Biometric Identifiers

No

Mother's Maiden Name

No

Vehicle Identifiers

No

Personal Mailing Address

No

Personal Phone Numbers

No

Medical Records Numbers

No

Medical Notes

No

Financial Account Information

No

Certificates

No

Legal Documents

No

Device Identifiers

No

Web URLs

No

Personal Email Address

No

Education Records

No

Military Status

No

Employment Status

No

Foreign Activities

No

Other

No

35. Are rules of conduct in place for access to PII on the website?
N/A

36. Does the website contain links to sites external to HHS that owns and/or operates the system?
No
36a. If yes, note whether the system provides a disclaimer notice for users that follow external links to
websites not owned or operated by HHS.

ADMINISTRATIVE CONTROLS
1 Administrative Controls
Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control
questions—terms that are used in several Federal laws when referencing security requirements.
37. Has the system been certified and accredited (C&A)?
No
37a. If yes, please indicate when the C&A was completed:
N/A
37b. If a system requires a C&A and no C&A was completed, is a C&A in progress?
Yes
38. Is there a system security plan for this system?
Yes
39. Is there a contingency (or backup) plan for the system?
Yes
40. Are files backed up regularly?
Yes
41. Are backup files stored offsite?
Yes
42. Are there user manuals for the system?
Yes
43. Have personnel (system owners, managers, operators, contractors and/or program managers) using
the system been trained and made aware of their responsibilities for protecting the information being
collected and maintained?
Yes
44. If contractors operate or use the system, do the contracts include clauses ensuring adherence to
privacy provisions and practices?
N/A
45. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?
Yes
45a. If yes, please specify method(s):
Role-based access and Least-privileged access by AWS access control.
*46. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer
to the C&A package and/or the Records Retention and Destruction section in SORN):
No
46a. If yes, please provide some detail about these policies/practices:
N/A

TECHNICAL CONTROLS
1 Technical Controls
47. Are technical controls in place to minimize the possibility of unauthorized access, use, or
dissemination of the data in the system?
Yes
Please indicate “Yes” or “No” for each category
below:

Yes/No

User Identification

Yes

Passwords

Yes

Firewall

Yes

Virtual Private Network (VPN)

No

Encryption

No

Intrusion Detection System (IDS)

Yes

Common Access Cards (CAC)

No

Smart Cards

Yes

Biometrics

No

Public Key Infrastructure (PKI)

No

48. Is there a process in place to monitor and respond to privacy and/or security incidents?
Yes
48a. If yes, please briefly describe the process:
NIH incident response procedures

PHYSICAL ACCESS
1 Physical Access
49. Are physical access controls in place?
Yes, Inherited from AWS cloud
Please indicate “Yes” or “No” for each category
below:

Yes/No

Guards

Yes

Identification Badges

Yes

Key Cards

Yes

Cipher Locks

No

Biometrics

No

Closed Circuit TV (CCTV)

Yes

*50. Briefly describe in detail how the PII will be secured on the system using administrative, technical,
and physical controls:
Access to the study participant PII data is role-based permission with least privilege functionality requiring
the use of identification and authenticators (NIH access credentials).

APPROVAL/DEMOTION
1 System Information
System Name:
NIMH Data Archive - Omics and Imaging Data Store
2

PIA Reviewer Approval/Promotion or Demotion

Promotion/Demotion:
Comments:
Approval/Demotion
Point of Contact:
Date:
3

September 18, 2020
Senior Official for Privacy Approval/Promotion or Demotion

Promotion/Demotion:
Comments:
4

OPDIV Senior Official for Privacy or Designee Approval

Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature
has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the
reviewing official has endorsed it
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee
(Name and Date):
Name: __________________________________
________________________________________

Date:

Name:
Date:

5

Department Approval to Publish to the Web

Approved for web publishing
Date Published:
Publicly posted PIA URL or no PIA URL
explanation:

PIA % COMPLETE
1

PIA Completion

PIA Percentage
Complete:
PIA Missing Fields:

100.00


File Typeapplication/pdf
File TitlePrimavera ProSight Report
AuthorHermach, William
File Modified2020-09-18
File Created2020-09-18

© 2024 OMB.report | Privacy Policy