Privacy Impact Assessment

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-68720

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

P-8140329-191084

2a Name:

3/6/2018 8:27:40 AM

CDC Wizehive (WizeH)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Operations and Maintenance
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8b Planned Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

ISSO

POC Name

Jared Brown

POC Organization MISO
POC Email

[email protected]

POC Phone

770-488-5993
New
Existing
Yes
No
June 12, 2018
Not Applicable

Page 1 of 8

Save
CDC WizeHize (WizeH) is a web-based cloud application that
allows CDC Management Information Systems Office (MISO) to
develop tailored work-flows and a centralized repository for
Fellowship applicants. WizeH will streamline the application
process for CDC Programs who are looking for a variety of
applicants ranging from fellows to doctors and who will be on
assignment throughout the world.
11 Describe the purpose of the system.

CDC programs can find and select candidates based on the
profiles the fellows have created of their skills, concentrations
and specialties. CDC WizeH is being implemented to enable
applicants and host sites to apply to CDC fellowships online,
program participants to submit fellowship progress and
monitoring information, and fellowship alumni to submit
professional alumni data in one integrated database.

WizeH collects Fellowship applicants’ Names; Date of Birth;
Gender; Email Address; Mailing Address; Phone Numbers;
Fellowship Entry Year; Citizenship Information; Education and
Training; Work Experience; Volunteer Activities; Research
Describe the type of information the system will
Grants; Presentations; Publications; Interests; and Skills and
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask Abilities. Additional information will include assignment
description for the CDC, health department, or other
about the specific data elements.)
assignment location. All submissions of data are voluntary
including participation in the alumni directory.

Page 2 of 8

Save
The primary purpose of CDC WizeHive is to provide a centrally
managed repository of application data received from
fellowship applicants and alumni data received from
fellowship graduates. CDC WizeHive will allow applicants and
host sites to apply to CDC fellowships online, program
participants to submit fellowship progress and monitoring
information, and fellowship alumni to submit professional
alumni data in one integrated database. The target audience
for fellowship applications consists of professionals in public
health, epidemiology, medicine, economics, information
science, veterinary medicine, nursing, pharmacy, public policy
and related professions, and medical, veterinary, and graduate
students. The target audience for host site applications
consists of CDC Centers, Institutes, and Offices, state, territorial,
local and tribal health departments, other federal government
agencies, and other non-governmental health related entities
(e.g., managed care organizations).

Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

Applicants choosing to apply to one or more CDC fellowship(s)
will enter their information once and alumni who choose to
participate in the alumni directory will have the option of
providing updates to information that has changed.
Information about alumni who provide consent will be
included in standard down loadable reports including the
alumni directory. Alumni will use the directory to facilitate
networking, per their request. CDC will use the information
collected for processing application data, selection of qualified
candidates, monitoring the progress of the fellowship
experience, maintaining a current alumni database,
documenting the impact of the fellowships, and generating
reports. After graduation, Fellowship alumni information is
retained, and alumni are encouraged to update their data as
their professional positions evolve.
During each Fellowship’s open enrollment period, WizeH
collects Fellowship applicants’ Names, Date of Birth, Gender,
Email Address, Mailing Address, Phone Numbers, Fellowship
Entry Year, Citizenship Information, Education and Training,
Work Experience, Volunteer Activities, Research Grants,
Presentations, Publications, Interests, Skills and Abilities.
Additional information will include assignment description for
the CDC, health department, or other assignment location. All
submissions of data are voluntary including participation in
the alumni directory. Supervisors and CDC fellowship program
staff will monitor the information entered along with the
fellowship experience.

14 Does the system collect, maintain, use or share PII?

Yes
No

Page 3 of 8

Save

Indicate the type of PII that the system will collect or
15
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
Work Experience
Volunteer Activities, Research Grants, Presentations,
Publications, Interests, Skills and Abilities.
Fellowship Entry Year
Professional License
Citizenship and Visa Information
Volunteer Activities, Research Grants, Presentations,
Publications, Interests, Skills and Abilities.
Employees
Public Citizens
16

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
Other Professionals that support the health care industry.

17 How many individuals' PII is in the system?

18 For what primary purpose is the PII used?

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

5,000-9,999
The primary purpose for PII in WizeHive is to enable the
program to identify Fellowship candidates efficiently and
effectively.
The secondary use of the PII is to maintain contact information
for Alumni Fellows.

20 Describe the function of the SSN.

SSNs will not be stored, transmitted or processed by the
system.

20a Cite the legal authority to use the SSN.

SSNs will not be stored, transmitted or processed by the
system.

Public Health Service Act, Section 207(g),(h), "Appointment of
Identify legal authorities governing information use Personnel," Sections 208, "Pay and Allowances," and Section
21
and disclosure specific to the system and program.
301, "Research and Investigation" (42 U.S.C. 209 (g),(h), 210 and
241).

Page 4 of 8

Save
22

Yes

Are records on the system retrieved by one or more
PII data elements?

Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.

No
Published:

09-20-0112: Fellowship Program and Guest
Researcher Records

Published:

OPM/GOVT–5, Recruiting, Examining, and
Placement Records

Published:
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

0920-0765 - 04/30/2018
Yes
No
During the application process, applicants are notified of what
PII will be requested and how the information will be used.
Application to the CDC Fellowship program is voluntary, and if
the applicants consent to providing the information requested,
they proceed with the on-line application.
Voluntary
Mandatory

Page 5 of 8

Save
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.

Application to the Fellowship program through the use of
CDC WizeHive is voluntary; the opt-out method for applicants
is to not continue with the Fellowship application. However,
the data collected is required in order to complete the
Fellowship application.

Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.

Should major changes ever occur to the system CDC Program
Administrators will notify individuals whose PII is in the system
by email asking them to log on to the system to provide
electronic consent as appropriate. The EIS Bulletin will also
include an announcement of notification and request alumni
to log on to the system to provide electronic consent as
appropriate.

Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

31

Identify who will have access to the PII in the system
and the reason why they require access.

Users are able to notify the CDC Program Administrators via
the site to help assist with resolving any issue. Alternatively,
they can send an email to the WizeHive Customer Support
team at [email protected].
Candidates matriculated into the program are required to
maintain current information within the system. Candidates
update their own data during the re-application process.
Users

View and update their own profile
information

Administrators

View users profiles for fellowship
selection and placement

Developers
Contractors
Others

View users profiles for fellowship
selection and placement

Describe the procedures in place to determine which Role based access methodology is employed to determine
which users are able to access PII. Only those individuals
32 system users (administrators, developers,
having a need to know will be granted access to the PII.
contractors, etc.) may access PII.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

The WizeHive application utilizes the principle of least privilege
access. Users can only see their own information. WizeHive
Managers, Administrators, and Reviewers would be able to
view Users information.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

All CDC users, and accepted fellows must complete CDC
Security and Privacy Awareness Training (SAT) program and
annual refresher training.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

N/A - Secondary training is not required.

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?

Yes
No

Page 6 of 8

Save
CDC is responsible for maintaining the data for the application.
Data retention and destruction of PII will keep in accordance
with NARA policies as implemented by CDC/ITSO.
GRS 2.3.033- EEO Records- Prelim/bkgd files
Retain for 2 years
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

GRS 2.3.035 EEO Records - Compliance reports
Retain for 5 years
4-02b Data from databases:
Destroy when no longer needed for administrative purposes.
GRS 23-5 Schedules of Daily Activities.
Input data, dispose when no longer needed. System data, ten
years. Output data, final reports, permanent. Output data, Adhoc printouts, five years, Output data, other electronic files,
dispose when no longer needed.
WizeHive Application’s PII is secured via:
Administrative Controls
Include the enforcement of user roles and by having users
agree to system Rules of Behavior. Any changes to the
application must go through a the WizeHive Administrator and
Reviewers.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Technical Controls
Technical controls are in place to minimize the possibility of
unauthorized access, use, or dissemination of the data in the
system. The application utilizes role-based access and grants
access to the data based on authentication and authorization.
WizeHive User identification is required through email address
and password. WizeHive Operation team utlizes Elastic
Logstah, Amazon CloudWatch, and PagerDuty to detect
anomalies in near real-time. Amazon AWS utilized network
security tools such as firewalls, secure access points, intrusion
detection, and transmission protection. Amazon employs
multi-factor authentication to allow remote access to the data
center.
Physical Controls
Servers are housed in the Amazon state of the art data centers.
Physical access is strictly controlled by both perimeter and
building ingress points. The facility has physical security staff,
video surveillance, intrusion detection system, and other
electronic means. Personnel must pass two-factor
authentication a minimum of two times to access the data
center floors.

General Comments

Page 7 of 8

Save
OPDIV Senior Official
for Privacy Signature

Beverly E.
Walker -S

Digitally signed by
Beverly E. Walker -S
Date: 2018.03.28 22:20:58
-04'00'

Page 8 of 8