Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.47.4
Status Draft
Form Number
F-25337
Form Date
Question
Answer
1
OPDIV:
CDC
2
PIA Unique Identifier:
P-6902544-932285
2a Name:
2/26/2019 8:46:16 AM
Modernization Platform (MPN)
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Operations and Maintenance
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
8b Planned Date of Security Authorization
No
Yes
No
Agency
Contractor
POC Title
Associate Director for IT
POC Name
Mike Loudermilk
POC Organization CDC/NIOSH/OD
POC Email
[email protected]
POC Phone
404.498.1988
New
Existing
Yes
No
August 9, 2019
Not Applicable
Page 1 of 12
Save
11 Describe the purpose of the system.
Modernization Platform (MPN) is a strategic effort to align
existing National Institute for Occupational Safety and Health
(NIOSH) investments to open standards and modern data
services. This platform provides a framework to effectively
manage and provide oversight of NIOSH Information
Technology (IT) systems while encouraging the adoption of
the NIOSH Analytical Data Warehouse and the Centers for
Disease Control and Prevention (CDC) Cloud Strategy. The
platform supports the replacement and limited redevelopment
of NIOSH applications using agile methodologies.
MPN will maintain information such as social security numbers
(SSN), names, email, address, phone, medical notes,
certificates, date of birth (DOB), photographic identifiers,
biometric identifiers, demographic, medical record numbers,
and employment status.
MPN collects external users’ business contact information
(email and phone number). Other related data includes the
Describe the type of information the system will
types of injuries/fatalities involved in incident, general time
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask and physical location information related to incident. Also,
desensitized narratives from surveys and injury contexts are
about the specific data elements.)
collected.
All full time employees and contractors that utilize MPN use
CDC user credentials/PIV card to access the system in
conjunction with authentication by Active Directory within the
CDC/ATSDR Enterprise. AD has its own system and PIA.
External partners authenticate via Secure Access Management
Services (SAMS), which has it's own PIA.
Page 2 of 12
Save
The MPN helps to store and share information amongst the
NIOSH divisions which are located in various states. The
information collected is accessed by authorized NIOSH
employees, giving them the ability to enter, search, and view
collected data.
MPN uses miner's SSN to search for data, verify identity, and
group radiographs taken during a miner's lifetime.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
MPN collects and maintains identifying information about the
workers involved in the safety incident such as participants'
names to ensure collected data is associated with the correct
person. DOB is collected to understand relationship between
age and safety. Medical information (medical notes, medical
records number, biometric identifiers) is collected to
understand the safety and health risks of certain tasks and/or
environments. Demographic information like ethnicity or
gender is collected to understand the role of ethnicity and
gender in safety. Contact information is to ensure that
program participants can be contacted. Employment status is
to understand how a worker's role and industry employment
relates to safety.
Other data collected includes the types of injuries/fatalities
involved in incident for safety incident type classifications,
general time and physical location information related to
incident to understand environmental context. Also,
desensitized narratives, from surveys, that may help clarify
what the root causes and contributing factors were for the
incident. Injury context is collected in order to organize each
safety incident into quantifiable data that can be analyzed.
MPN collects external users’ business contact information
(email and phone number) for account set up and user
support.
All full time employees and contractors that utilize MPN use
CDC user credentials/PIV card to access the system in
conjunction with Active Directory Services within the CDC/
ATSDR Enterprise. AD has its own system and PIA. External
partners authentication via Secure Access Management
Services (SAMS), which has it's own PIA.
14 Does the system collect, maintain, use or share PII?
Yes
No
Page 3 of 12
Save
15
Indicate the type of PII that the system will collect or
maintain.
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
Demographic info
Employees
Public Citizens
Indicate the categories of individuals about whom PII
16
is collected, maintained or shared.
Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
Other
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
Publication Authors, Respirator Manufacturers seeking
approval.
1,000,000 or more
MPN collects external users’ business contact information
(email and phone number) for account set up and user
support. MPN collects and maintains identifying information
about the workers involved in the safety incident such as
participants' names to ensure collected data is associated with
the correct person. DOB is collected to understand any
relationship between age and safety. Medical information
(medical notes, medical records number, biometric identifiers)
is collected to understand the safety and health risks of certain
tasks and/or environments.
Secondary uses for collecting PII include informing workers of
study findings, analyzing data, administering surveys,
contacting participants, verifying the miner's identity, to keep
records of procedures performed within the system, and for
user account setup and user support.
Page 4 of 12
Save
MPN uses miner's SSN to search for data, verify identity, and
group radiographs taken during a miner's lifetime.
20 Describe the function of the SSN.
20a Cite the legal authority to use the SSN.
SSN is also used in determining whether a match is for a
particular worker. The set of information which MPN and the
data source have in common typically consists of SSN, name,
date of birth, and gender. These fields are used to ascertain
whether a linked record for a worker is a true match, a false
match, or whether it remains unclear. Without the SSN, many
of these determinations would be impossible.
Federal Mine Safety and Health Act, Sections 203 and
Occupational Safety and Health Act, Section 20
Occupational Safety and Health Act, Section 20, "Research and
Identify legal authorities governing information use Related Activities" (29 U.S.C. 669); Federal Mine Safety and
21
Health Act of l977, Sections 203, "Medical Examinations" and
and disclosure specific to the system and program.
50l, "Research" (30 U.S.C. 843, 95l); Public Health Service Act,
Section 301, "Research and Investigation" (42 U.S.C. 241).
22
Yes
Are records on the system retrieved by one or more
PII data elements?
No
Published:
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.
09-20-0149 | Morbidity Studies in Coal Mining,
Metal and Non-metal Mining and General
Industry.
Published:
Published:
In Progress
Page 5 of 12
Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
24 Is the PII shared with other organizations?
OMB 0920-0953 Expires 08/31/2021
OMB 0920-0260, Expiration: 10/31/2020
Yes
No
Page 6 of 12
Save
Within HHS
Other Federal
Agency/Agencies
PII is provided to allow users to contact the publication
author with questions/comments.
The Mine Safety and Health Administration (MSHA) may be
provided PII when needed, as NIOSH runs the Coal Workers'
Health Surveillance Program (CWHSP) on their behalf.
PII is provided to IRS for matching with their database in
order to identify addresses for workers. PII is also provided
to Department of Energy in order to obtain additional
exposure data and study data.
24a
Identify with whom the PII is shared or disclosed and
for what purpose.
State or Local
Agency/Agencies
PII is provided to allow users to contact the publication
author with questions/comments. PII is also provided to the
State statistic offices and state cancer registries.
Private Sector
PII is provided to allow users to contact the publication
author with questions/comments.
Analysis files not containing direct identifiers may be shared
with collaborators or researchers interested in replicating the
study, either through a data use agreement or at a research
data center.
Lab testing with Clinical Laboratory Improvement
Amendments (CLIA) certified lab
Page 7 of 12
Save
Agreements are in place for data sharing as follows:
1) Data exchanged with National Death Index (NDI) is
governed by the NDI process which includes an application
process with protocol review of new studies.
2) Data exchanged with the Internal Revenue Service (IRS) is
governed Under Title 26 – Internal Revenue Code 6103(m)(3),
(https://www.irs.gov/irm/part11/irm_11-003-029) as amended
(Appendix A) and Public Law 96-128, title V, Sec. 502, as
amended, (http://thomas.loc.gov/cgi-bin/bdquery/z?
d096:HR02282:@@@D&summ2=m&). NIOSH has been granted
authority for this type of search and has been vetted by IRS to
Describe any agreements in place that authorizes the gain access and the use of their secure FTP site.
information sharing or disclosure (e.g. Computer
3) Data exchanged with Department of Energy (DOE) Inter24b Matching Agreement, Memorandum of
agency Agreement to collect study records from the various
Understanding (MOU), or Information Sharing
sites.
Agreement (ISA)).
4) Data exchanged with state Vital Records departments are
governed by an approval process with each state at the time
requested.
5) Data exchanged with state cancer registries are governed by
an approval process with each state at the time requested.
7) Study analysis files not containing direct identifiers are
governed by Data Use Agreements or by restricted access
through National Center for Health Statistics (NCHS's) Research
Data Center.
Health Management Systems (HMS) Federal has established
the International Organization for Standardization (ISO) 9001
procedures for accounting for disclosures under this system.
24c
Describe the procedures for accounting for
disclosures
This is maintained by the system owner. Within this disclosure
ledger includes the date, the name (the address if known) of
the entity of the receiving person or agency, a brief description
of the information disclosed, and a brief purpose of the
disclosure (or a copy of the disclosure request).
This ledger is captured in a spreadsheet.
The Miner Identification Form explains how the miner
information will be kept private and requires them to sign
granting NIOSH permission to collect and use the data when
requesting a chest radiograph or pulmonary function test.
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
When voluntarily signing up for an account, individuals
provide business contact information. The website form
describes the information collection and the use of PII.
Users requesting access to the system for a specific role will be
notified during the request either verbally or by email that
their user Id will be stored. New employees are notified via
email or verbally that their information will be stored.
Page 8 of 12
Save
26
Voluntary
Is the submission of PII by individuals voluntary or
mandatory?
Mandatory
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.
Participation is voluntary and initiated by the users. Users
opting to participate are required to provide business contact
information as needed for account setup and user support.
Once established, users can opt out by contacting
[email protected] and their account will be disabled.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
Users are notified of system updates via the email
address they provide. Major changes in the use of PII are not
anticipated and have not occurred. No consent process has
been developed.
If PII has been inappropriately obtained, used, or disclosed, or if
the PII is inaccurate, an individual can contact the systems
program manager at [email protected].
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or Concerns about PII can be directed to NIOSH MPN
that the PII is inaccurate. If no process exists, explain administrators at [email protected]. The administrators will
direct the concern to the system security steward who will
why not.
reach out to the individual and division management, NIOSH's
Information System Security Officer, and CDC's Privacy Office
for an appropriate resolution.
PII contained in the system is reviewed by MPN administrators
weekly and any incorrect information is remedied.
Additionally, users or authors may request their information be
updated by sending an email to the system administrators.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
Integrity checks include: the data entry staff verify that PII
matches the form when entering the data, entered data are
compared to appropriate valid ranges of values, databases are
designed to eliminate redundancies, and database constraints
require values for critical fields and disallow invalid values.
Workers' addresses are updated prior to notifications.
Users may update their email address and phone number by
sending updates to [email protected]. Reviews are
conducted by NIOSH's Project Manager.
Users
Administrators
Identify who will have access to the PII in the system
31
and the reason why they require access.
Program researchers will have access
to their program's PII data in order to
conduct analysis.
Users are able to respond to inquiries
For creating user accounts and
communicating system status and
providing user support.
Developers
Contractors
Direct contractors serving as users
administrators.
Others
Page 9 of 12
Save
MPN utilizes Role Based Access Control (RBAC) that enforces
the most restrictive permissions for authorized users based on
their role. The Business Stewards determine which users can
Describe the procedures in place to determine which access PII based on their job role. Authorized administrators
and users are the only ones who can access the PII and they are
32 system users (administrators, developers,
authenticated against a list of users via Active Directory. The
contractors, etc.) may access PII.
Business steward ensures users complete tasks with only the
privilege necessary to perform their separate job functions.
Administrators access PII in order to run reports and update
the documentation criteria.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
MPN personnel are identified at the project level by role, and
only appropriate personnel with the requisite skills and
knowledge are assigned to the project in the required role.
System users and administrators are given access based on the
principles of least privilege. Least Privilege model is applied,
ensuring privilege levels no higher than necessary to
accomplish required functions.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
All users complete Security and Privacy Awareness Training at
least annually.
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
The Division of Field Studies and Engineering (DFSE) annually
provides 308(d) training that includes Confidentiality as well as
Privacy Act and security training.
System administrators complete HHS Role Based Training at
least annually.
Freedom of Information (FOIA) and Privacy Act Training
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
Yes
No
NIOSH handles and retains information system output and
retention in accordance with the CDC Records Management
Policy. CDC Records Control Schedule and other applicable
record scheduling procedures prescribed by the General
Records Schedule (GRS) and National Archives and Records
Administration (NARA). System stewards consult with the CDC
Records Manager to identify applicable records scheduling
requirements and otherwise manage electronic records.
Records Schedule 16, Item 14
Records Schedule N1-442-09-1, item 3 (4-57)
Records Schedule is N1-442-09-1, item 2
Records Schedule N1-GRS-98-2 item 23
Records Schedule CDC N1-442-2009-01, item 3 and 4
Records Schedule N1-442-09-1
GRS 20.2D
Page 10 of 12
Save
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
Administrative: only authorized employees can access using
PIV card and system authentication.
The business steward authorizes new users for the system.
Data is secured by Active Directory and access is only granted
to users authorized by the business steward. Data is stored on
an encrypted database server. The servers and hard-copy
records reside in secured facilities which require PIV card
access. Comprehensive security plans are formalized through
the Security Assessment and Authorization (SA&A) process to
validate compliance with Federal Information Security
Management Act (FISMA) requirements.
Technical: both database layer and application layer access is
controlled by PIV card (network user credentials) to prevent
unauthorized access. PII is secured on the CDC network using
network shares and Server databases that limit access to the
appropriate staff. The network is protected with firewalls, and
intrusion detection systems. All users complete Security and
Privacy Awareness Training at least annually.
Physical: Hosted and stored on the consolidated web server
and database server which is located in a locked secure CDC
facility, secured with guards, ID badges, key cards and closed
circuit television (CCTV) with access only by authorized badged
staff or escorted visitors.
MPN is a platform framework that involves multiple URLs.
39 Identify the publicly-available URL:
40 Does the website have a posted privacy notice?
https://wwwn.cdc.gov/HHERequest
https://wwwn.cdc.gov/niosh-statedocs/Default.aspx
https://www.cdc.gov/niosh/topics/NOMS/
https://wwwn.cdc.gov/Niosh-whc/
https://wwwn.cdc.gov/NIOSH-CEL/
https://wwwn.cdc.gov/eworld
https://wwwn.cdc.gov/niosh-mining/
https://wwwn.cdc.gov/niosh-npg
https://wwwn.cdc.gov/niosh-oeb
https://wwwn.cdc.gov/niosh-ohsn
https://wwwn.cdc.gov/niosh-rhd
https://wwwn.cdc.gov/PPEINFO/Search
https://wwwn.cdc.gov/wisards/
https://wwwn.cdc.gov/wpvhc
Yes
No
40a
Is the privacy policy available in a machine-readable
format?
Yes
41
Does the website use web measurement and
customization technology?
Yes
No
No
Page 11 of 12
Save
Technologies
Yes
Web beacons
No
Yes
Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)
No
Session Cookies
Persistent Cookies
Omniture:
Other... Session Storage
via browser
42
Does the website have any information or pages
directed at children under the age of thirteen?
Yes
43
Does the website contain links to non- federal
government websites external to HHS?
Yes
General Comments
OPDIV Senior Official
for Privacy Signature
Collects PII?
Yes
No
Yes
No
Yes
No
No
No
Q40a: In accordance with HHS’s “Rescission of Office of the Chief Information Officer/Superseded Policy
for Machine Readable Privacy Policies and Related Guidance Documents” memo. MRPP cannot be
validated due to obsolete technology and the suspension of work on P3P by the Platform for Privacy
Preferences Project workgroup.
Beverly E.
Walker -S
Digitally signed by
Beverly E. Walker -S
Date: 2019.08.07 11:52:04
-04'00'
Page 12 of 12
File Type | application/pdf |
File Modified | 2019-08-07 |
File Created | 2016-03-30 |