Pia

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-76139

Form Date

Question

Answer

1

OPDIV:

CDC

2

PIA Unique Identifier:

P-4154066-593122

2a Name:

4/20/2020 8:58:04 AM

Technical Assistance Hub (TAH)
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Development
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8b Planned Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Business Steward

POC Name

Christi Jones

POC Organization NCIPC
POC Email

[email protected]

POC Phone

770.488.3703
New
Existing
Yes
No
June 12, 2020
Not Applicable

Page 1 of 7

Save
11 Describe the purpose of the system.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
about the specific data elements.)
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
14 Does the system collect, maintain, use or share PII?

15

The purpose of this system is to create a Technical Assistance
(TA) Hub that delivers comprehensive technical assistance and
TAH collect organizational email addresses to send
notifications and collaborate with other users, password for
authentication, and security role to specify privileges of the
users in the system. TAH also collects user names to identify a
TAH collect basic program information on OD2A; OD2A
program participants request for technical assistance; the
administration and execution of the technical assistance;
Yes
No

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
UserID & Password

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

20 Describe the function of the SSN.

100-499
The PII Information is used for user registration, login and
contact and follow-up.
N/A
N/A

Page 2 of 7

Save
20a Cite the legal authority to use the SSN.

N/A

21

Identify legal authorities governing information use Public Health Service Act, Section 301, "Research and
and disclosure specific to the system and program.
Investigation" (42 U.S.C. 241)

22

Are records on the system retrieved by one or more
PII data elements?

Yes
No
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources

23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

TBD
Yes
No

Page 3 of 7

Save
The participants are informed that personal information is
required for registration and identify proofing. The contractor
communicates to the site users in three ways:

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.

1) Site registration form- The online form that people use to
request access (membership) to the OD2A-TAC website
includes the following notice before the entry fields: “NOTE:
Personally identifiable information (e.g., name, email address)
is collected solely for the purposes of providing passwordprotected access to the OD2A-TAC website, facilitating internal
communication among OD2A-TAC website users, and sending
system notifications.”
2) Site My Account Edit screen – The Site My Account screen
which allows the site users to view and edit their Personal
information has the following disclaimer: “NOTE: Personally
identifiable information (e.g., name, email address) is collected
solely for the purposes of providing password-protected
access to the OD2A-TAC website, facilitating internal
communication among OD2A-TAC website users, and sending
system notifications.”
3) Site Login screen – The login screen contains a disclaimer
stating unauthorized or improper use of this system is
prohibited and may result in disciplinary action and/or civil
and criminal penalties. At any time, and for any lawful
government purpose, the government may monitor, record,
and audit your system usage and/or intercept, search and seize
any communication or data transiting or stored on this system.
Therefore, you have no reasonable expectation of privacy. Any
communication or data transiting or stored on this system may
be disclosed or used for any lawful Government purpose.”
Voluntary
Mandatory
There is no method to opt out of the collection of the PII for
this systems since the PII collected is name, email address, and
employment status is required in order to communicate with
the site users. We could not communicate or authenticate the
users without the PII requested.

Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
The participants are contacted via email to notify and obtain
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe consent when major changes occur.
why they cannot be notified or have their consent
obtained.

Page 4 of 7

Save
User PII is limited to name, email, jurisdiction, and role – all of
which are intended to be shared within the system with other
users, via a member directory. Internal sharing of this
information facilitates connections and communication
among OD2A recipients, who are eager to learn from and
Describe the process in place to resolve an
individual's concerns when they believe their PII has support one another. The notice on the member directory
29 been inappropriately obtained, used, or disclosed, or records reminds users “Personally identifiable information (e.g.,
that the PII is inaccurate. If no process exists, explain name, email address) is provided solely for the purposes of
internal communication among OD2A Technical Assistance
why not.
Center (TAC) website users and for system notifications.”. Users
also have access to their own account profile, which they can
update or correct at any time, to fix any inaccurate PII. Users
can contact [email protected] with concerns
about the use of their personal information.

Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

31

Identify who will have access to the PII in the system
and the reason why they require access.

The system automatically prompts users (via email) every 60
days to update their password and review their profile
information. This encourages self-maintenance of PII. New
requests for system access are reviewed to ensure that only
agency email addresses are used and to check for correct role
selection. They are also reviewed and approved by DOP before
being added to the system. This process takes place on a
rolling basis to ensure new users are added to the system in a
timely manner. Contractor Administrators and Developers may
also access user profiles when needed – for example to delete
them if DOP leadership requests this (for a recipient who had
retired or resigned, for example).
Users

The users have access to PII for
collaboration and or editing.

Administrators

Indirect contractors add, edit, remove;
PII to ensure integrity, accuracy and
relevancy of information.

Developers

Indirect contractors debugging datarelated issues.

Contractors

Indirect contractors add, edit, remove;
PII to ensure integrity, accuracy and
relevancy of information.

Others
Describe the procedures in place to determine which Users' roles are approved by the program management team
32 system users (administrators, developers,
and they do not have access to PII. The program management
contractors, etc.) may access PII.
team must approve all user role classifications before they are

Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

The site will only collect the bare minimum PII in order to
register the user on the site and ensure that the user is who
they say they are. Furthermore, role-based access control are in
place to ensure the concept of "least privilege" is implemented.
Job function determines the level of access and users are
assigned only those rights necessary to fulfill responsibilities
for approved roles and system-level audit controls to
safeguard and audit use.

Page 5 of 7

Save
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

All staff are required to take annual training in cybersecurity,
security awareness, and privacy training. This training has been
reviewed and is in accordance with the CDC requirements.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

Training for administrators and developers is tailored to the
TAH information system and their roles.

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?

Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

Yes
No
Records are retained and disposed of in accordance with the
CDC Records Control Schedule (N1-442-09-1) and in
accordance with contractual agreement. Record copy of study
reports are maintained in the agency from two to three years
in accordance with retention schedules. Source documents for
computers are disposed of when they are no longer needed by
program officials. Personal identifiers may be deleted from
records when no longer needed in the study as determined by
the system manager, and as provided in the signed consent
form, as appropriate. Disposal methods include erasing
computer tapes, burning or shredding paper materials or
transferring records to the Federal Records Center when no
longer needed for evaluation and analysis. Records are
retained for 20 years; for longer periods if further study is
needed.
The administrative security controls employed include
adhering to department, policies and procedures around
security and privacy; and annual awareness training for all
users holding accounts for the system.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

The technical controls are shared between the system and the
Amazon Web Service (AWS) platform. The system provides
controls such as multi- factor authentication for all users to
include Personal Identity Verification (PIV) login capability and
role-based system access to control the amount of PII available
to a user; 2 rounds of two-factor authentication for each
individual accessing a data center floor. AWS provides
infrastructure controls such as secure network access points.
The physical controls will all be inherited by the AWS platform
and include the following: Restricting physical access to the
data center both at the perimeter and at building ingress
points through the help of video surveillance, intrusion
detection systems, and Visitors and contractors are required to
have ID, sign-in with building security, and be escorted by an
authorized staff at all times; Fire detection and suppression
systems; Uninterruptible Power Supply (UPS); Climate and
Temperature control; and Preventative maintenance.

Page 6 of 7

Save

General Comments

OPDIV Senior Official
for Privacy Signature

signed by Jarell
Jarell Oshodi Digitally
Oshodi -S
Date: 2020.05.04 07:37:21
-S
-04'00'

Page 7 of 7