Privacy Checklist

Privacy Act Checklist

Part of the OMB Clearance Process involves the review of packages by the Privacy Act coordinator. This review is required for all clearance packages and essential when data collection activities require the collection of sensitive or personally identifiable information.

Develop a brief narrative answering the following questions:

Does the data collection involve collecting sensitive and/or personally identifiable information?

Describe how personal information will be maintained (i.e, locked file cabinet, on computer, etc.) and who will have access to it (employees only, contractors, etc.).

State how long the sensitive and/or personal information will be maintained.

The University of Alaska Anchorage’s Institute for Social and Economic Research (ISER) staff will administer survey questionnaires to air taxi and commuter airline operators (including the subset of single-pilot operators), commercial pilots, ramp/baggage/cargo/dock agents, customer service agents, and maintenance technicians using the Qualtrics (FedRAMP certified) cloud software application to conduct surveys. Members of ISER will provide Qualtrics survey links to participants, facilitate the survey over the phone and fill in answers for participants, or provide a paper copy of the survey to participants, who then mail/fax the survey ISER members who manually fill out the survey results in Qualtrics.

ISER will collect data that may be considered sensitive and may be considered to be PII, as small populations may render some respondents identifiable. Thus the following privacy policies will apply:

• Potential PII data may only be accessed by ISER (Core Staff)

• Surveys must be stored on Qualtrics, a FedRAMP certified

cloud provider

• Hard copies of surveys are destroyed upon transfer to Qualtrics

• Data dumps containing potential PII must only be stored on the encrypted, access-controlled sub-share (managed by ISER)

• All work facilitated by ISER staff, and all data handled by them, must be done on CDC issued laptops

Data collected by ISER will be deidentified, cleaned, and analyzed, or

deidentified and cleaned and proved to NIOSH. No potential PII will be

provided to NIOSH researchers.

For Extensions and Reinstatements Only:

Packages are being reinstated or extended.

Respondents are state and local governments

Responses arrive at CDC and ATSDR with no identifiable

information and in aggregate form

Data management procedures have not changed since previous

approval and the instruments have not been through extensive revisions.

Additional Tips

Ensure that your package adheres to the following:

Does not use Privacy Act language from existing packages. Often times, new packages will be developed based upon existing packages. However, the privacy Act language is never transferrable between packages.

Consent documents/advisements contain the following information:

Authority for collecting the data (usually OSHA Act)

Purpose for collecting the data

With whom identifiable information will be shared.

Voluntary nature of the information collection

Effect upon respondent for not participating