06.4 Third Party Web PIA (Form) / NIH/NEI/SurveyMonkey |
|
TPWA_PIA |
1 |
Overview |
The PIA determines if Personally Identifiable Information (PII) is contained within a system, the kind of PII involved, what is done with that information, and how the PII is protected. OPDIV/STAFFDIV uses of third-party Websites or applications are subject to requirements based on privacy laws, regulations, and guidance. The Department of Health and Human Services (HHS) Privacy Act Officer may be contacted for issues related to the Freedom of Information Act (FOIA) and/or the Privacy Act. Respective HHS Operating Division (OPDIV) Privacy Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system. |
This Privacy Impact Assessment is to be completed in accordance with Office of Management and Budget (OMB) Memorandum (M) 03-22 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 and OMB M-10-23 Guidance for Agency Use of Third-Party Websites and Applications. For complete background and guidance, please read the Standard Operating Procedures (SOPs) for the Privacy Impact Assessment for Third-Party Websites of Applications prior to completing this PIA. |
Questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to OMB and public posting in accordance with OMB M-03-22 and OMB M-10-23. |
2 |
General Information |
1. Third-Party Website or Application Name: |
NIH/OD/SurveyMonkey |
|
|
2. Is this a new PIA? |
Yes |
2a. If this is a revision of an existing PIA, please provide a reason for revision: |
N/A |
|
|
3. Date of this Submission: |
December 1, 2014 |
|
|
4. OPDIV Name: |
NIH |
|
|
5. Unique Project Identifier (UPI) Number for current fiscal year (if applicable): |
N/A |
|
|
6.Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? |
No |
6a. If yes, indicate the SORN number or describe the plans to put one in place: |
N/A |
|
|
7. Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? |
No |
7a. If yes, indicate the OMB approval number and approval number expiration date or describe the plans to obtain OMB clearance: |
N/A |
|
|
8. Does the third-party Website or application contain Federal records? |
Yes |
|
|
|
*9. Point of Contact (POC). The POC is the person to whom questions about the responses to the third-party Website or application PIA may be addressed: |
|
|
|
|
|
|
Point of Contact Information |
|
|
|
Name |
Mark Lyubovitsky |
|
|
Title |
Privacy SME, NIH/OD/OM/OMA/DMS |
|
|
Location |
6011 Executive Boulevard, Suite 601. Rockville, MD 20892 |
|
|
Phone Number |
(301) 451-3426 |
|
|
10. Describe the specific purpose for the OPDIV use of the third-party Website or application: |
SurveyMonkey.com is a company that offers powerful web-based survey solutions so organizations of all sizes can gain the insights they need to make more informed decisions. It enables users to create their own web-survey, collect responses and analyze results using free (e.g., basic) and enhanced paid products and services (e.g., select, gold and platinum). It is used by survey creators (people who create and conduct surveys online) and survey respondents (people who answer those surveys). It allows a user to design a survey using several question formats (e.g., multiple choice, true/false, open-ended) and color palettes, e-mail and track respondents and export data into SAS/SPSS programs for more complex analysis. It collects information (personal data, registration/billing information, account settings, address book information, survey data, server web logs and other data intentionally shared) in order to assess customer satisfaction and/or evaluate the effectiveness of a program. The user can make surveys completely public and indexable by search engines, password protect them, distribute them to a restricted list of people or choose to share survey responses instantly or at a public location.
By default, surveys are anonymous if the survey creator chooses to configure their settings as such. However, specific questions in the survey may still ask an individual to provide personal information or data that could be used to identify them. Anything a respondent expressly discloses in their survey response will, naturally, be provided to the user.
SurveyMonkey does not sell survey responses to third parties and do not use any contact details collected in its customers’ surveys to contact survey respondents.
SurveyMonkey does however, use the information it collects (e.g., usage data, device data, referral data and information from page tags) to manage and improve its services.
The SurveyMonkey privacy policy can be found at http://www.surveymonkey.com/mp/policy/privacy-policy/
|
3 |
Requirements |
11. Have the third-party’s privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? |
Yes |
|
|
12. Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: |
The alternative option is for the public to complete the survey by mail. |
|
|
13. Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? |
No |
|
|
14. How does the public navigate to the third-party Website or application from the OPDIV: (i) an external hyperlink from an HHS Website or Website operated on behalf of HHS; (ii) incorporated or embedded on HHS Website; or (iii) Other? |
All. |
14a. If other, please describe how the public navigates to the third-party Website or application: |
|
14b. If the public navigates to the third-party Website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? |
Yes |
4 |
Notice Practices |
15. Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? |
Yes |
15a. Provide a hyperlink to the OPDIV Privacy Policy: |
http://www.nih.gov/about/privacy.htm
|
|
|
16. Is an OPDIV Privacy Notice posted on the third-party Website or application? |
Yes |
16a. Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. |
Yes |
16b. Is the OPDIV’s Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? |
Yes |
5 |
Information Collection & Use Practices |
17. Is PII collected by the OPDIV from the third-party Website or application? |
Yes |
18. Will the third-party Website or application make PII available to the OPDIV? |
Yes |
19. Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: |
Names, e-mail addresses, and work phone number are typically the only personal identifiers which the public could make available to OPDIV through use of survey monkey. |
6 |
Information Sharing & Maintenance Practices |
20. Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: |
The E-mail Invitation Collector feature will add a list of ten emails into SurveyMonkey in order to send a unique survey link through a message delivered by the SurveyMonkey mail server. When the e-mail server delivers the message, the system automatically generates ten unique links, each of which is tied to a specific e-mail address in the list via the tags included in the default message. Only the recipient will know his/her unique link. The survey creator will not be able to see assigned link inside the collector. As a user responds, his or her e-mail will be populated on the response in the Analyze section, and tracked by status in the Collector.
Upon creation of an account, the user must provide an unique user name and password that must be entered each time the user logs on. A session cookie will record encrypted authentication information for the duration of a specific session. NIH purchase the Gold package to ensure the use of Secure Sockets Layer (SSL) technology to protect user information using both server authentication and data encryption to ensure user data (e.g., passwords and credit card information) and responses of the survey respondents is safe, transmitted over a secure, encrypted connection, and available only to authorized persons. |
20a. If PII is shared, how are the risks of sharing PII mitigated? |
PII will typically only be shared with NIH staff for the purpose of contacting survey respondents for follow-up. |
|
|
21. Will the PII from the third-party Website or application be maintained by the OPDIV? |
No |
21a. If PII will be maintained, indicate how long the PII will be maintained: |
N/A |
|
|
22. Describe how PII that is used or maintained will be secured: |
N/A |
|
|
23. What other privacy risks exist and how will they be mitigated? |
NIH cannot control and protect the content of a survey application distributed by a third party website outside of the NIH network. However, IC’s will post a privacy notice at the top of the survey in the summary section.
Survey Monkey clearly posts on their disclaimer notice that they have no responsibility or liability for the compromise or loss of data, which increases NIH’s risk. |
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Manoj, Kanya [USA] |
File Modified | 0000-00-00 |
File Created | 2023-08-24 |