Pia

Attachment 3 - PIA Form.pdf

International Research Fellowship Award Program (NIDA)

PIA

OMB: 0925-0733

Document [pdf]
Download: pdf | pdf
1. OPDIV

National Institutes of Health

2. PIA Unique Identifier

P-8851736-287551

2a. Name

NIDA International Fellowship Program

3. The subject of this PIA is
Electronic Information Collection
which of the following?
3a. Identify the Enterprise
Performance Lifecycle Phase Operational
of the system.
3b. Is this a
No
FISMA-Reportable system?
4. Does the system include a
Website or online
application available to and Yes
for the use of the general
public?
Accept / Reject Status

Undefined

Question 4 Comment
5. Identify the operator.

Agency

6. Point of Contact (POC)
POC Title

Research Training Program Officer

POC Name

Lindsey Friend

POC Organization

National Institute on Drug Abuse, International Program

POC Email

[email protected]

POC Phone

(301) 402-1428

Accept / Reject Status

Undefined

Question 6 Comment
7. Is this a new or existing
system?

New

8. Does the system have
Security Authorization
(SA)?

Yes

For Official Use Only (FOUO)

Page 1

Accept / Reject Status

Undefined

Question 8 Comment
8a. Date of Security
Authorization

05/21/2021

9. Indicate the following
reason(s) for updating this
PIA. Choose from the
following options.
Other
Accept / Reject Status
Question 9 Comment

10. Describe in further detail
any changes to the system
that have occurred since the
last PIA.
Accept / Reject Status

Undefined

Question 10 Comment
The purpose of the NIDA International Fellowship Program (IRP) is
to identify potential applicants for the program. The information
11. Describe the purpose of
collection activity is necessary to determine the eligibility and quality
the system.
of potential awardees for the research training opportunity of this
program.
Accept / Reject Status

Undefined

Question 11 Comment
12. Describe the type of
information the system will
collect, maintain (store), or
share. (Subsequent questions

The information collected during the application process is used to
make basic eligibility determinations and to provide the scientific
reviewers the information necessary to assess the scientific merit of
the full application (applicant and mentor responses), the proposal's

For Official Use Only (FOUO)

Page 2

will identify if this
information is PII and ask
about the specific data
elements.)

relevance to drug use and addiction and NIDA's research mission,
adequacy of the applicant's education and experience to conduct the
proposed research, likelihood that the proposed research can be
completed within 1 year, and compatibility of the applicant's and
mentor's objectives.
Information collected through the applicant form includes Personal
information (name, year of birth); Contact information (mailing,
e-mail, phone for current and permanent address); Educational
history (university, academic major, attendance dates, degree
awarded); Employment history (position title, organization, duties
and responsibilities, dates of employment); Resume components
(position title, name and address of institution); name and address of
mentor and contact information; list of publications, professional
reference names and contact information; research abstract and
proposal, and applicant certification and acceptance of terms.
Requirements for eligibility include:
An earned doctoral degree in medicine, public health, or biomedical,
behavioral, or social sciences.
A minimum of 2 years of postdoctoral research experience, including
a demonstrated ability to engage in independent research.
Written assurance from an institution in the home country that there
is a position to which the applicant can return af ter completing the
fellowship.
Information collected through the mentor form includes: Personal
information (name); Contact information (e-mail address, work
phone number); Educational history (university, academic major,
attendance dates, degree awarded); Resume components (position
title, name and address of institution); Mentorship background
(number of Pre- and Postdoctoral Fellows mentored, names and
current employer of most recent mentored fellows); list of significant
publications, awards, honors, and/or membership on current federal
government public advisory committees; mentor's statement of
support of applicant's postdoctoral training and research proposal;
and mentor certification and acceptance of terms. To be considered, a
mentor must be a NIDA-funded researcher in the United States. The
mentor's NIDA-funded grant must be active throughout the proposed
fellowship period.
Users access the International Research Fellowship Award Program
application using NIH Identity, Credential, and Access Management
(IAM) Services which maintains its own unique privacy impact
assessment (PIA) on record, including all legal authorities
documented. The purpose of the IAM is to authenticate and
authorize all users and computers in a Windows domain type
network; assigning and enforcing information security policies for all
computers and installing or updating software. The IAM collects

For Official Use Only (FOUO)

Page 3

unique usernames and passwords (user credentials) and stores them
in an encrypted format. The IAM is an essential service which
facilitates and governs network access to various resources.
Accept / Reject Status

Undefined

Question 12 Comment
The information collected during the application process is used to
make basic eligibility determinations and to provide the scientific
reviewers the information necessary to assess the scientific merit of
the full application (applicant and mentor responses), the proposal's
relevance to drug use and addiction and NIDA's research mission,
adequacy of the applicant's education and experience to conduct the
proposed research, likelihood that the proposed research can be
completed within 1 year, and compatibility of the applicant's and
mentor's objectives.
Information collected through the applicant form includes: Personal
information (name, year of birth); Contact information (mailing,
e-mail, phone for current and permanent address); Educational
history (university, academic major, attendance dates, degree
awarded); Employment history (position title, organization, duties
and responsibilities, dates of employment); Resume components
(position title, name and address of institution); name and address of
13. Provide an overview of
mentor and contact information; list of publications, professional
the system and describe the
reference names and contact information; research abstract and
information it will collect,
proposal, and applicant certification and acceptance of terms.
maintain (store), or share,
Requirements for eligibility include:
either permanently or
An earned doctoral degree in medicine, public health, or biomedical,
temporarily.
behavioral, or social sciences.
A minimum of 2 years of postdoctoral research experience, including
a demonstrated ability to engage in independent research.
Written assurance from an institution in the home country that there
is a position to which the applicant can return after completing the
fellowship.
Information collected through the mentor form includes: Personal
information (name); Contact information (e-mail address, work
phone number); Educational history (university, academic major,
attendance dates, degree awarded); Resume components (position
title, name and address of institution); Mentorship background
(number of Pre- and Postdoctoral Fellows mentored, names and
current employer of most recent mentored fellows); list of significant
publications, awards, honors, and/or membership on current federal
government public advisory committees; mentor's statement of
support of applicant's postdoctoral training and research proposal;
For Official Use Only (FOUO)

Page 4

and mentor certification and acceptance of terms. To be considered,
a mentor must be a NIDA-funded researcher in the United States.
The mentor's NIDA-funded grant must be active throughout the
proposed fellowship period.
Users access the International Research Fellowship Award Program
application using NIH IAM Services which maintains its own unique
privacy impact assessment (PIA) on record, including all legal
authorities documented.
Accept / Reject Status

Undefined

Question 13 Comment
14. Does the system collect,
Yes
maintain, use or share PII?
Accept / Reject Status

Undefined

Question 14 Comment

15. Indicate the type of PII
that the system will collect
or maintain.

Name, E-Mail Address, Phone Numbers, Certificates, Education
Records, Mailing Address, Employment Status
Resume, publications, references, research abstracts, year of birth
Awards, honors, memberships, citizenship

Accept / Reject Status

Undefined

Question 15 Comment
16. Indicate the categories of
individuals about whom PII
Employees, Public Citizens
is collected, maintained or
shared.
Accept / Reject Status

Undefined

Question 16 Comment

For Official Use Only (FOUO)

Page 5

17. How many individuals'
PII is in the system?

Less than 100

Accept / Reject Status

Undefined

Question 17 Comment

18. For what primary
purpose is the PII used?

The primary purpose of collecting personally identifiable information
(PII) is to make basic eligibility determinations for acceptance in to
the program or become a mentor.

Accept / Reject Status

Undefined

Question 18 Comment
19. Describe the secondary
uses for which the PII will
The secondary use would be to contact applicant and mentor during
be used (e.g. testing, training application review and award decision process.
or research)
Accept / Reject Status

Undefined

Question 19 Comment
20. Describe the function of
N/A. SSN is not collected
the SSN.
Accept / Reject Status

Undefined

Question 20 Comment
20a. Cite the legal authority
N/A. SSN is not collected
to use the SSN.
21. Identify legal authorities
governing information use
42 U.S.C 241
and disclosure specific to the
system and program.
22. Are records on the
system retrieved by one or
more PII data elements?

Yes

Accept / Reject Status

Undefined
For Official Use Only (FOUO)

Page 6

Question 22 Comment

22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:

09-25-0014 "Clinical Research: Student Records

Published:
Published:
In Progress

Undefined

23. Identify the sources of
PII in the system.

Online, Members of the Public

Accept / Reject Status

Undefined

Question 23 Comment
23a. Identify the OMB
information collection
approval number and
expiration date.

OMB #0925-0733
Expires 07/31/2022

24. Is the PII shared with
other organizations?

No

Accept / Reject Status

Undefined

Question 24 Comment

24a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS

Undefined

Other Federal
Agency/Agencies

Undefined

State or Local
Agency/Agencies

Undefined

For Official Use Only (FOUO)

Page 7

Private Sector

Undefined

24b. Describe any
agreements in place that
authorizes the information
sharing or disclosure (e.g.
Computer Matching
Agreement, Memorandum of
Understanding (MOU), or
Information Sharing
Agreement (ISA)).
24c. Describe the procedures
for accounting for
disclosures.
25. Describe the process in
place to notify individuals
that their personal
Application instructions are posted on the website and explain the
information will be
information to be gathered to determine eligibility.
collected. If no prior notice
is given, explain the reason.
Accept / Reject Status

Undefined

Question 25 Comment
26. Is the submission of PII
by individuals voluntary or
mandatory?

Voluntary

Accept / Reject Status

Undefined

Question 26 Comment
27. Describe the method for
individuals to opt-out of the
collection or use of their PII. The online application is only required if the person chooses to apply
If there is no option to object for the program. The person can choose not to apply and thus opt-out.
to the information collection,
provide a reason.
Accept / Reject Status

Undefined

For Official Use Only (FOUO)

Page 8

Question 27 Comment
28. Describe the process to
notify and obtain consent
from the individuals whose
PII is in the system when
major changes occur to the
system (e.g., disclosure
Participants are required to opt in to consent of the information
and/or data uses have
collected prior to completing an application.
changed since the notice at
the time of original
collection). Alternatively,
describe why they cannot be
notified or have their consent
obtained.
Accept / Reject Status

Undefined

Question 28 Comment
29. Describe the process in
place to resolve an
individual's concerns when
they believe their PII has
been inappropriately
obtained, used, or disclosed,
or that the PII is inaccurate.
If no process exists, explain
why not.

There is currently no process in place since we do not believe this is a
foreseeable event. Should an individual raise a concern, NIDA
would treat it as an incident, investigate, and attempt to resolve
accordingly.

Accept / Reject Status

Undefined

Question 29 Comment
30. Describe the process in
place for periodic reviews of
PII contained in the system
to ensure the data's integrity,
availability, accuracy and
relevancy. If no processes
are in place, explain why
not.

All PII collected will be permanently deleted from the system after
each fellowship application period (yearly). It will not be used for
any other purpose than described so periodic reviews are not
relevant.

Accept / Reject Status

Undefined
For Official Use Only (FOUO)

Page 9

Question 30 Comment
31. Identify who will have access to the PII in the system and the reason why they require access.
Users

Yes
Users have access to their own information.

Administrators

Yes
Administrators may be applicant reviewers and provide system
management & operations.

Developers

Yes
Developers provide system development/enhancements,
management, and operations.

Contractors

Yes
Direct contractors may be administrators and/or developers.

Others

Undefined

32. Describe the procedures
in place to determine which Access to PII is assigned to personnel based upon current job
system users (administrators, responsibilities. An IAM login account is required to gain access to
developers, contractors, etc.) the stored PII data.
may access PII.
Accept / Reject Status

Undefined

Question 32 Comment
33. Describe the methods in
place to allow those with
Access to PII is assigned to personnel based upon current job
access to PII to only access
responsibilities. An IAM login account is required to gain access to
the minimum amount of
the stored PII data.
information necessary to
perform their job.
Accept / Reject Status

Undefined

Question 33 Comment
34. Identify training and
awareness provided to
personnel (system owners,

All personnel who manage or operate NIH applications must
successfully complete annual privacy and security awareness
training. There are five categories of mandatory information
For Official Use Only (FOUO)

Page 10

managers, operators,
contractors and/or program
managers) using the system
to make them aware of their
responsibilities for
protecting the information
being collected and
maintained.

technology (IT) training (Information Security, Counterintelligence,
Privacy Awareness, Records Management and Emergency
Preparedness). Training is completed on the
http://irtsectraining.nih.gov site with valid NIH credentials.

Accept / Reject Status

Undefined

Question 34 Comment
35. Describe training system
users receive (above and
Administrators and Privileged Users require additional training
beyond general security and specific to their roles and responsibilities.
privacy awareness training).
Accept / Reject Status

Undefined

Question 35 Comment
36. Do contracts include
Federal Acquisition
Regulation and other
Yes
appropriate clauses ensuring
adherence to privacy
provisions and practices?
Accept / Reject Status

Undefined

Question 36 Comment
NIH Records schedule 02-005 - Official Case Files of Applications
and Awards, Appeals, and Litigation Records for Grants,
Cooperative Agreements, and Other Transaction Activities.
37. Describe the process and
Official case files of funded and unfunded grants and cooperative
guidelines in place with
agreements, award applications, and appeals and litigation records.
regard to the retention and
Records also include those supporting other transaction awards and
destruction of PII. Cite
activities. Disposition: Cut off annually following completion of
specific records retention
final award-related activity that represents closing of the case file
schedules.
(e.g., end of project period, completed final peer review, litigation or
appeal proceedings concluded). Destroy 30 year(s) after cutoff.
Disposition authority: DAA-0443-2019-0008

For Official Use Only (FOUO)

Page 11

Accept / Reject Status

Undefined

Question 37 Comment
Physical controls include 24x7 guards of mobile units used to collect
data, Personal Identify Verification (PIV) key cards and closed
circuit television (TV).
38. Describe, briefly but
with specificity, how the PII
will be secured in the system
using administrative,
technical, and physical
controls.

Accept / Reject Status

Technical controls include User identification (ID), passwords,
network firewall, Virtual Private Network (VPN), Intrusion
Detection System, Role Based Access Controls, System logs.
Administrative controls include system security and contingency
plan. Files are backed up regularly and stored offsite. Contract
clauses ensure adherence to privacy provisions and practices, least
privilege through role-based access, and policies for retention and
destruction of PII.
Undefined

Question 38 Comment

39. Identify the
publicly-available URL.

https://nidaextshare.nida.nih.gov/INVEST/SitePages/Home.aspx
https://nidaextshare.nida.nih.gov/INVEST/SitePages/mentor.aspx

Accept / Reject Status

Undefined

Question 39 Comment
40. Does the website have a
Yes
posted privacy notice?
Accept / Reject Status

Undefined

Question 40 Comment

40a. Is the privacy policy
available in a
machine-readable format?

Yes

For Official Use Only (FOUO)

Page 12

41. Does the website use
web measurement and
customization technology?

No

Accept / Reject Status

Undefined

Question 41 Comment

41a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII. (Select all that apply).
Web Beacons

No

Collects PII?

Undefined

Web Bugs

No

Collects PII?

Undefined

Session Cookies

No

Collects PII?

Undefined

Persistent Cookies

No

Collects PII?

Undefined

Other ...
Collects PII?

Undefined

42. Does the website have
any information or pages
No
directed at children under the
age of thirteen?
Accept / Reject Status

Undefined

Question 42 Comment

42a. Is there a unique
privacy policy for the
website, and does the unique
Undefined
privacy policy address the
process for obtaining
parental consent if any

For Official Use Only (FOUO)

Page 13

information is collected?
43. Does the website contain
links to non-federal
No
government websites
external to HHS?
Accept / Reject Status

Undefined

Question 43 Comment

43a. Is a disclaimer notice
provided to users that follow
Undefined
external links to websites not
owned or operated by HHS?

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
Undefined
accurately, and completely?
Reviewer Notes
Accept / Reject Status

Undefined

Question 1 Comment
2. Does the PIA
appropriately communicate
the purpose of PII in the
Undefined
system and is the purpose
justified by appropriate legal
authorities?
Reviewer Notes
Accept / Reject Status

Undefined

Question 2 Comment

For Official Use Only (FOUO)

Page 14

3. Do system owners
demonstrate appropriate
understanding of the impact
of the PII in the system and Undefined
provide sufficient oversight
to employees and
contractors?
Reviewer Notes
Accept / Reject Status

Undefined

Question 3 Comment
4. Does the PIA
appropriately describe the
PII quality and integrity of
the data?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Question 4 Comment
5. Is this a candidate for PII
Undefined
minimization?
Reviewer Notes
Accept / Reject Status

Undefined

Question 5 Comment
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Question 6 Comment

For Official Use Only (FOUO)

Page 15

7. Are the individuals whose
PII is in the system provided Undefined
appropriate participation?
Reviewer Notes
Accept / Reject Status

Undefined

Question 7 Comment
8. Does the PIA raise any
concerns about the security
of the PII?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Accept / Reject Status

Undefined

Question 8 Comment
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need to
be?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Accept / Reject Status

Undefined

Question 9 Comment
10. Is the PII appropriately
limited for use internally and Undefined
with third parties?
Reviewer Notes
Accept / Reject Status

Undefined

Question 10 Comment
11. Does the PIA

Undefined
For Official Use Only (FOUO)

Page 16

demonstrate compliance
with all Web privacy
requirements?
Reviewer Notes
Accept / Reject Status

Undefined

Question 11 Comment
12. Were any changes made
to the system because of the Undefined
completion of this PIA?
Reviewer Notes
Accept / Reject Status

Undefined

Question 12 Comment

General Comments

This module is under the National Institute on Drug Abuse (NIDA)
6101 General Support System whose Universal Unique Identifier
(UUID) is: 634C0CC9-0191-4EA9-8AAF-076D61FC021B
OMB #0925-0733 has been issued an extension to 07/31/2022

Status and Approvals
IC Status

IC Approved

OSOP Status

Pending Privacy Officer Review

OPDIV Senior Official for
Privacy Signature
HHS Senior Agency Official
for Privacy

For Official Use Only (FOUO)

Page 17


File Typeapplication/pdf
AuthorAbdelmouti, Tawanda (NIH/OD) [E]
File Modified2022-05-04
File Created2022-05-04

© 2024 OMB.report | Privacy Policy