Download:
pdf |
pdf1. OPDIV
National Institutes of Health
2. PIA Unique Identifier
P-8851736-287551
2a. Name
NIDA International Fellowship Program
3. The subject of this PIA is
Electronic Information Collection
which of the following?
3a. Identify the Enterprise
Performance Lifecycle Phase Operational
of the system.
3b. Is this a
No
FISMA-Reportable system?
4. Does the system include a
Website or online
application available to and Yes
for the use of the general
public?
Accept / Reject Status
Undefined
Question 4 Comment
5. Identify the operator.
Agency
6. Point of Contact (POC)
POC Title
Research Training Program Officer
POC Name
Lindsey Friend
POC Organization
National Institute on Drug Abuse, International Program
POC Email
[email protected]
POC Phone
(301) 402-1428
Accept / Reject Status
Undefined
Question 6 Comment
7. Is this a new or existing
system?
New
8. Does the system have
Security Authorization
(SA)?
Yes
For Official Use Only (FOUO)
Page 1
Accept / Reject Status
Undefined
Question 8 Comment
8a. Date of Security
Authorization
05/21/2021
9. Indicate the following
reason(s) for updating this
PIA. Choose from the
following options.
Other
Accept / Reject Status
Question 9 Comment
10. Describe in further detail
any changes to the system
that have occurred since the
last PIA.
Accept / Reject Status
Undefined
Question 10 Comment
The purpose of the NIDA International Fellowship Program (IRP) is
to identify potential applicants for the program. The information
11. Describe the purpose of
collection activity is necessary to determine the eligibility and quality
the system.
of potential awardees for the research training opportunity of this
program.
Accept / Reject Status
Undefined
Question 11 Comment
12. Describe the type of
information the system will
collect, maintain (store), or
share. (Subsequent questions
The information collected during the application process is used to
make basic eligibility determinations and to provide the scientific
reviewers the information necessary to assess the scientific merit of
the full application (applicant and mentor responses), the proposal's
For Official Use Only (FOUO)
Page 2
will identify if this
information is PII and ask
about the specific data
elements.)
relevance to drug use and addiction and NIDA's research mission,
adequacy of the applicant's education and experience to conduct the
proposed research, likelihood that the proposed research can be
completed within 1 year, and compatibility of the applicant's and
mentor's objectives.
Information collected through the applicant form includes Personal
information (name, year of birth); Contact information (mailing,
e-mail, phone for current and permanent address); Educational
history (university, academic major, attendance dates, degree
awarded); Employment history (position title, organization, duties
and responsibilities, dates of employment); Resume components
(position title, name and address of institution); name and address of
mentor and contact information; list of publications, professional
reference names and contact information; research abstract and
proposal, and applicant certification and acceptance of terms.
Requirements for eligibility include:
An earned doctoral degree in medicine, public health, or biomedical,
behavioral, or social sciences.
A minimum of 2 years of postdoctoral research experience, including
a demonstrated ability to engage in independent research.
Written assurance from an institution in the home country that there
is a position to which the applicant can return af ter completing the
fellowship.
Information collected through the mentor form includes: Personal
information (name); Contact information (e-mail address, work
phone number); Educational history (university, academic major,
attendance dates, degree awarded); Resume components (position
title, name and address of institution); Mentorship background
(number of Pre- and Postdoctoral Fellows mentored, names and
current employer of most recent mentored fellows); list of significant
publications, awards, honors, and/or membership on current federal
government public advisory committees; mentor's statement of
support of applicant's postdoctoral training and research proposal;
and mentor certification and acceptance of terms. To be considered, a
mentor must be a NIDA-funded researcher in the United States. The
mentor's NIDA-funded grant must be active throughout the proposed
fellowship period.
Users access the International Research Fellowship Award Program
application using NIH Identity, Credential, and Access Management
(IAM) Services which maintains its own unique privacy impact
assessment (PIA) on record, including all legal authorities
documented. The purpose of the IAM is to authenticate and
authorize all users and computers in a Windows domain type
network; assigning and enforcing information security policies for all
computers and installing or updating software. The IAM collects
For Official Use Only (FOUO)
Page 3
unique usernames and passwords (user credentials) and stores them
in an encrypted format. The IAM is an essential service which
facilitates and governs network access to various resources.
Accept / Reject Status
Undefined
Question 12 Comment
The information collected during the application process is used to
make basic eligibility determinations and to provide the scientific
reviewers the information necessary to assess the scientific merit of
the full application (applicant and mentor responses), the proposal's
relevance to drug use and addiction and NIDA's research mission,
adequacy of the applicant's education and experience to conduct the
proposed research, likelihood that the proposed research can be
completed within 1 year, and compatibility of the applicant's and
mentor's objectives.
Information collected through the applicant form includes: Personal
information (name, year of birth); Contact information (mailing,
e-mail, phone for current and permanent address); Educational
history (university, academic major, attendance dates, degree
awarded); Employment history (position title, organization, duties
and responsibilities, dates of employment); Resume components
(position title, name and address of institution); name and address of
13. Provide an overview of
mentor and contact information; list of publications, professional
the system and describe the
reference names and contact information; research abstract and
information it will collect,
proposal, and applicant certification and acceptance of terms.
maintain (store), or share,
Requirements for eligibility include:
either permanently or
An earned doctoral degree in medicine, public health, or biomedical,
temporarily.
behavioral, or social sciences.
A minimum of 2 years of postdoctoral research experience, including
a demonstrated ability to engage in independent research.
Written assurance from an institution in the home country that there
is a position to which the applicant can return after completing the
fellowship.
Information collected through the mentor form includes: Personal
information (name); Contact information (e-mail address, work
phone number); Educational history (university, academic major,
attendance dates, degree awarded); Resume components (position
title, name and address of institution); Mentorship background
(number of Pre- and Postdoctoral Fellows mentored, names and
current employer of most recent mentored fellows); list of significant
publications, awards, honors, and/or membership on current federal
government public advisory committees; mentor's statement of
support of applicant's postdoctoral training and research proposal;
For Official Use Only (FOUO)
Page 4
and mentor certification and acceptance of terms. To be considered,
a mentor must be a NIDA-funded researcher in the United States.
The mentor's NIDA-funded grant must be active throughout the
proposed fellowship period.
Users access the International Research Fellowship Award Program
application using NIH IAM Services which maintains its own unique
privacy impact assessment (PIA) on record, including all legal
authorities documented.
Accept / Reject Status
Undefined
Question 13 Comment
14. Does the system collect,
Yes
maintain, use or share PII?
Accept / Reject Status
Undefined
Question 14 Comment
15. Indicate the type of PII
that the system will collect
or maintain.
Name, E-Mail Address, Phone Numbers, Certificates, Education
Records, Mailing Address, Employment Status
Resume, publications, references, research abstracts, year of birth
Awards, honors, memberships, citizenship
Accept / Reject Status
Undefined
Question 15 Comment
16. Indicate the categories of
individuals about whom PII
Employees, Public Citizens
is collected, maintained or
shared.
Accept / Reject Status
Undefined
Question 16 Comment
For Official Use Only (FOUO)
Page 5
17. How many individuals'
PII is in the system?
Less than 100
Accept / Reject Status
Undefined
Question 17 Comment
18. For what primary
purpose is the PII used?
The primary purpose of collecting personally identifiable information
(PII) is to make basic eligibility determinations for acceptance in to
the program or become a mentor.
Accept / Reject Status
Undefined
Question 18 Comment
19. Describe the secondary
uses for which the PII will
The secondary use would be to contact applicant and mentor during
be used (e.g. testing, training application review and award decision process.
or research)
Accept / Reject Status
Undefined
Question 19 Comment
20. Describe the function of
N/A. SSN is not collected
the SSN.
Accept / Reject Status
Undefined
Question 20 Comment
20a. Cite the legal authority
N/A. SSN is not collected
to use the SSN.
21. Identify legal authorities
governing information use
42 U.S.C 241
and disclosure specific to the
system and program.
22. Are records on the
system retrieved by one or
more PII data elements?
Yes
Accept / Reject Status
Undefined
For Official Use Only (FOUO)
Page 6
Question 22 Comment
22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:
09-25-0014 "Clinical Research: Student Records
Published:
Published:
In Progress
Undefined
23. Identify the sources of
PII in the system.
Online, Members of the Public
Accept / Reject Status
Undefined
Question 23 Comment
23a. Identify the OMB
information collection
approval number and
expiration date.
OMB #0925-0733
Expires 07/31/2022
24. Is the PII shared with
other organizations?
No
Accept / Reject Status
Undefined
Question 24 Comment
24a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS
Undefined
Other Federal
Agency/Agencies
Undefined
State or Local
Agency/Agencies
Undefined
For Official Use Only (FOUO)
Page 7
Private Sector
Undefined
24b. Describe any
agreements in place that
authorizes the information
sharing or disclosure (e.g.
Computer Matching
Agreement, Memorandum of
Understanding (MOU), or
Information Sharing
Agreement (ISA)).
24c. Describe the procedures
for accounting for
disclosures.
25. Describe the process in
place to notify individuals
that their personal
Application instructions are posted on the website and explain the
information will be
information to be gathered to determine eligibility.
collected. If no prior notice
is given, explain the reason.
Accept / Reject Status
Undefined
Question 25 Comment
26. Is the submission of PII
by individuals voluntary or
mandatory?
Voluntary
Accept / Reject Status
Undefined
Question 26 Comment
27. Describe the method for
individuals to opt-out of the
collection or use of their PII. The online application is only required if the person chooses to apply
If there is no option to object for the program. The person can choose not to apply and thus opt-out.
to the information collection,
provide a reason.
Accept / Reject Status
Undefined
For Official Use Only (FOUO)
Page 8
Question 27 Comment
28. Describe the process to
notify and obtain consent
from the individuals whose
PII is in the system when
major changes occur to the
system (e.g., disclosure
Participants are required to opt in to consent of the information
and/or data uses have
collected prior to completing an application.
changed since the notice at
the time of original
collection). Alternatively,
describe why they cannot be
notified or have their consent
obtained.
Accept / Reject Status
Undefined
Question 28 Comment
29. Describe the process in
place to resolve an
individual's concerns when
they believe their PII has
been inappropriately
obtained, used, or disclosed,
or that the PII is inaccurate.
If no process exists, explain
why not.
There is currently no process in place since we do not believe this is a
foreseeable event. Should an individual raise a concern, NIDA
would treat it as an incident, investigate, and attempt to resolve
accordingly.
Accept / Reject Status
Undefined
Question 29 Comment
30. Describe the process in
place for periodic reviews of
PII contained in the system
to ensure the data's integrity,
availability, accuracy and
relevancy. If no processes
are in place, explain why
not.
All PII collected will be permanently deleted from the system after
each fellowship application period (yearly). It will not be used for
any other purpose than described so periodic reviews are not
relevant.
Accept / Reject Status
Undefined
For Official Use Only (FOUO)
Page 9
Question 30 Comment
31. Identify who will have access to the PII in the system and the reason why they require access.
Users
Yes
Users have access to their own information.
Administrators
Yes
Administrators may be applicant reviewers and provide system
management & operations.
Developers
Yes
Developers provide system development/enhancements,
management, and operations.
Contractors
Yes
Direct contractors may be administrators and/or developers.
Others
Undefined
32. Describe the procedures
in place to determine which Access to PII is assigned to personnel based upon current job
system users (administrators, responsibilities. An IAM login account is required to gain access to
developers, contractors, etc.) the stored PII data.
may access PII.
Accept / Reject Status
Undefined
Question 32 Comment
33. Describe the methods in
place to allow those with
Access to PII is assigned to personnel based upon current job
access to PII to only access
responsibilities. An IAM login account is required to gain access to
the minimum amount of
the stored PII data.
information necessary to
perform their job.
Accept / Reject Status
Undefined
Question 33 Comment
34. Identify training and
awareness provided to
personnel (system owners,
All personnel who manage or operate NIH applications must
successfully complete annual privacy and security awareness
training. There are five categories of mandatory information
For Official Use Only (FOUO)
Page 10
managers, operators,
contractors and/or program
managers) using the system
to make them aware of their
responsibilities for
protecting the information
being collected and
maintained.
technology (IT) training (Information Security, Counterintelligence,
Privacy Awareness, Records Management and Emergency
Preparedness). Training is completed on the
http://irtsectraining.nih.gov site with valid NIH credentials.
Accept / Reject Status
Undefined
Question 34 Comment
35. Describe training system
users receive (above and
Administrators and Privileged Users require additional training
beyond general security and specific to their roles and responsibilities.
privacy awareness training).
Accept / Reject Status
Undefined
Question 35 Comment
36. Do contracts include
Federal Acquisition
Regulation and other
Yes
appropriate clauses ensuring
adherence to privacy
provisions and practices?
Accept / Reject Status
Undefined
Question 36 Comment
NIH Records schedule 02-005 - Official Case Files of Applications
and Awards, Appeals, and Litigation Records for Grants,
Cooperative Agreements, and Other Transaction Activities.
37. Describe the process and
Official case files of funded and unfunded grants and cooperative
guidelines in place with
agreements, award applications, and appeals and litigation records.
regard to the retention and
Records also include those supporting other transaction awards and
destruction of PII. Cite
activities. Disposition: Cut off annually following completion of
specific records retention
final award-related activity that represents closing of the case file
schedules.
(e.g., end of project period, completed final peer review, litigation or
appeal proceedings concluded). Destroy 30 year(s) after cutoff.
Disposition authority: DAA-0443-2019-0008
For Official Use Only (FOUO)
Page 11
Accept / Reject Status
Undefined
Question 37 Comment
Physical controls include 24x7 guards of mobile units used to collect
data, Personal Identify Verification (PIV) key cards and closed
circuit television (TV).
38. Describe, briefly but
with specificity, how the PII
will be secured in the system
using administrative,
technical, and physical
controls.
Accept / Reject Status
Technical controls include User identification (ID), passwords,
network firewall, Virtual Private Network (VPN), Intrusion
Detection System, Role Based Access Controls, System logs.
Administrative controls include system security and contingency
plan. Files are backed up regularly and stored offsite. Contract
clauses ensure adherence to privacy provisions and practices, least
privilege through role-based access, and policies for retention and
destruction of PII.
Undefined
Question 38 Comment
39. Identify the
publicly-available URL.
https://nidaextshare.nida.nih.gov/INVEST/SitePages/Home.aspx
https://nidaextshare.nida.nih.gov/INVEST/SitePages/mentor.aspx
Accept / Reject Status
Undefined
Question 39 Comment
40. Does the website have a
Yes
posted privacy notice?
Accept / Reject Status
Undefined
Question 40 Comment
40a. Is the privacy policy
available in a
machine-readable format?
Yes
For Official Use Only (FOUO)
Page 12
41. Does the website use
web measurement and
customization technology?
No
Accept / Reject Status
Undefined
Question 41 Comment
41a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII. (Select all that apply).
Web Beacons
No
Collects PII?
Undefined
Web Bugs
No
Collects PII?
Undefined
Session Cookies
No
Collects PII?
Undefined
Persistent Cookies
No
Collects PII?
Undefined
Other ...
Collects PII?
Undefined
42. Does the website have
any information or pages
No
directed at children under the
age of thirteen?
Accept / Reject Status
Undefined
Question 42 Comment
42a. Is there a unique
privacy policy for the
website, and does the unique
Undefined
privacy policy address the
process for obtaining
parental consent if any
For Official Use Only (FOUO)
Page 13
information is collected?
43. Does the website contain
links to non-federal
No
government websites
external to HHS?
Accept / Reject Status
Undefined
Question 43 Comment
43a. Is a disclaimer notice
provided to users that follow
Undefined
external links to websites not
owned or operated by HHS?
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
Undefined
accurately, and completely?
Reviewer Notes
Accept / Reject Status
Undefined
Question 1 Comment
2. Does the PIA
appropriately communicate
the purpose of PII in the
Undefined
system and is the purpose
justified by appropriate legal
authorities?
Reviewer Notes
Accept / Reject Status
Undefined
Question 2 Comment
For Official Use Only (FOUO)
Page 14
3. Do system owners
demonstrate appropriate
understanding of the impact
of the PII in the system and Undefined
provide sufficient oversight
to employees and
contractors?
Reviewer Notes
Accept / Reject Status
Undefined
Question 3 Comment
4. Does the PIA
appropriately describe the
PII quality and integrity of
the data?
Undefined
Reviewer Notes
Accept / Reject Status
Undefined
Question 4 Comment
5. Is this a candidate for PII
Undefined
minimization?
Reviewer Notes
Accept / Reject Status
Undefined
Question 5 Comment
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?
Undefined
Reviewer Notes
Accept / Reject Status
Undefined
Question 6 Comment
For Official Use Only (FOUO)
Page 15
7. Are the individuals whose
PII is in the system provided Undefined
appropriate participation?
Reviewer Notes
Accept / Reject Status
Undefined
Question 7 Comment
8. Does the PIA raise any
concerns about the security
of the PII?
Undefined
Reviewer Notes
Accept / Reject Status
Undefined
Accept / Reject Status
Undefined
Question 8 Comment
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need to
be?
Undefined
Reviewer Notes
Accept / Reject Status
Undefined
Accept / Reject Status
Undefined
Question 9 Comment
10. Is the PII appropriately
limited for use internally and Undefined
with third parties?
Reviewer Notes
Accept / Reject Status
Undefined
Question 10 Comment
11. Does the PIA
Undefined
For Official Use Only (FOUO)
Page 16
demonstrate compliance
with all Web privacy
requirements?
Reviewer Notes
Accept / Reject Status
Undefined
Question 11 Comment
12. Were any changes made
to the system because of the Undefined
completion of this PIA?
Reviewer Notes
Accept / Reject Status
Undefined
Question 12 Comment
General Comments
This module is under the National Institute on Drug Abuse (NIDA)
6101 General Support System whose Universal Unique Identifier
(UUID) is: 634C0CC9-0191-4EA9-8AAF-076D61FC021B
OMB #0925-0733 has been issued an extension to 07/31/2022
Status and Approvals
IC Status
IC Approved
OSOP Status
Pending Privacy Officer Review
OPDIV Senior Official for
Privacy Signature
HHS Senior Agency Official
for Privacy
For Official Use Only (FOUO)
Page 17
File Type | application/pdf |
Author | Abdelmouti, Tawanda (NIH/OD) [E] |
File Modified | 2022-05-04 |
File Created | 2022-05-04 |