Pia

Privacy Impact Assessment (PIA): CDC - NEPHTN - QTR1 - 2023 - CDC6707755
Created Date: 3/21/2023 2:03 PM Last Updated: 4/7/2023 12:00 AM

Copy PIA (Privacy Impact Assessment)
Do you want to copy this PIA ?

Please select the user, who would be submitting the copied PIA.

Instructions
Review the following steps to complete this questionnaire:
1) Answer questions. Select the appropriate answer to each question. Question specific help text may be available via the
your answer dictates an explanation, a required text box will become available for you to add further information.

icon. If

2) Add Comments. You may add question specific comments or attach supporting evidence for your answers by clicking on the
icon next to each question. Once you have saved the comment, the icon will change to the icon to show that a comment has been
added.
3) Change the Status. You may keep the questionnaire in the "In Process" status until you are ready to submit it for review. When
you have completed the assessment, change the Submission Status to "Submitted". This will route the assessment to the proper
reviewer. Please note that all values list questions must be answered before submitting the questionnaire.
4) Save/Exit the Questionnaire. You may use any of the four buttons at the top and bottom of the screen to save or exit the
questionnaire. The button allows you to complete the questionnaire. The button allows you to save your work and close the
questionnaire. The button allows you to save your work and remain in the questionnaire. The button closes the questionnaire without
saving your work.
Acronyms
ATO - Authorization to Operate
CAC - Common Access Card
FISMA - Federal Information Security Management Act
ISA - Information Sharing Agreement
HHS - Department of Health and Human Services
MOU - Memorandum of Understanding
NARA - National Archives and Record Administration
OMB - Office of Management and Budget
PIA - Privacy Impact Assessment
PII - Personally Identifiable Information
POC - Point of Contact
PTA - Privacy Threshold Assessment
SORN - System of Records Notice
SSN - Social Security Number
URL - Uniform Resource Locator

General Information
PIA Name:

CDC - NEPHTN - QTR1 - 2023 - CDC6707755

PIA ID:

6707755

Name of
Component:

National Environmental Public Health Tracking
Network

Name of ATO
Boundary:

National Environmental Public Health Tracking
Network

Overall Status:

PIA Queue:

Submitter:

POHL, Alan

# Days Open:

16

Submission
Status:

Submitted

Submit Date:

3/22/2023

Next
Assessment
Date:

N/A

Expiration Date:

Office:

DDNID

OpDiv:

CDC

Security
Categorization:

Moderate
Make PIA
available to
Public?:

Yes

History Log:

View History Log

Legacy PIA ID:

1:

Identify the Enterprise Performance Lifecycle Phase of the system

Operations and Maintenance

2:

Is this a FISMA-Reportable system?

Yes

3:

Does the system have or is it covered by a Security Authorization
to Operate (ATO)?

Yes

4:

ATO Date or Planned ATO Date

3/31/2023

PTA
PTA
PTA - 2:

Indicate the following reason(s) for this PTA. Choose from the
following options.

New Public Access

PTA - 2A:

Describe in further detail any changes to the system that have
occurred since the last PIA.

1) The Secure Access Management System
(SAMS) Distributed Processing System (DPS)
has been changed to SAMS Secure Data
Excahnge (SDX) for data submission.
2) National Environmental Public Health
Tracking Network (NEPHTN) now uses
REDCap for additional data collection.

PTA - 3:

Is the data contained in the system owned by the agency or
contractor?

Agency

PTA - 4:

Please give a brief overview and purpose of the system by
describing what the functions of the system are and how the
system carries out those functions.

National Environmental Public Health Tracking
Network (NEPHTN) is a web-based Analysis
Information System that provides a “one-stop”
resource for identifying data specifically related
to understanding environmental-health
interactions. NEPHTN supplements and
leverages the work others have done to add to
and enhance the knowledge base of
environmental contributions to health outcomes.
NEPHTN provides the means to identify,
access, and organize hazard, exposure, and
health data from these various sources. Topics
for NEPHTN analysis include: Air Quality,
Asthma, Birth Defects, Cancer, Carbon
Monoxide Poisoning, Childhood Lead
Poisoning, Climate Change, Pesticides, Water
Systems and Heart Attacks. NEPHTN also
includes data from external users, such as state
and local health departments as well as data
from federal agencies; including the U.S.
Environmental Protection Agency (EPA),
National Aeronautics and Space Administration
(NASA) and U.S. Census Bureau. NEPHTN
also hosts the Agency for Toxic Substance and
Disease Registry (ATSDR) Request
Management Service System (ARMSS). This
subsystem is a web-based tracking and
reporting system to record the majority of
requests that ATSDR is responsible for.
NEPHTN uses state and national provided data
sets to display various data on the Secure and
Public Portal. NEPHTN utilizes the CDC Secure
Access Management System (SAMS)’s SDX
(Secure Data Exchange) to allow NEPHTN
grantees the ability to submit data to the
Tracking Network. This data goes through
additional manual processing before it is utilized
on the Secure and Public Portal. NEPHTN
allows users to interact with data via two
separate components (Secure and Public
Portal) to process the information within the
system in different ways. The design of the
Secure and Public Portal is similar but separate
in roles and access rights. It’s important to note
that the components of the Secure Portal are
deployed separately from the components of
the Public Portal, but the functionality provided
in both environments is similar.

PTA - 5:

List and/or describe all the types of information that are collected
(into), maintained, and/or shared in the system regardless of
whether that information is PII and how long that information is
stored.

NEPHTN is a portal for collecting and sharing
electronic health and environmental data.
NEPHTN also uses state and national provided
data sets to display various data on the Secure
and Public Portal. Names and business email
addresses are stored in the system.
Tracking collects and stores aggregated data at
State, County and Census Tract Level such as:
Population Health (Populations and
Vulnerabilities - Number/Percent of population
aged 5 with disabilities, Health Impact
Assessment - Estimated number of all-cause
deaths avoided, Lifestyle Risk Factors - Percent
of current, former and smoked).

Health Effects (Asthma - Number and Crude
Rate of Hospitalizations and Emergency
Department visits (ED Visits), Birth Defects Average annual number of cases over 5 year
period, Developmental Disabilities - Estimated
prevalence of autism spectrum disorder,
Childhood Lead Poisoning - Number/percent of
children tested, Cancer - Annual number of
cases )
Environment (Air Quality - Number of days
above regulatory standard, Drinking Water Number of water systems by concentration by
chemical, Sunlight & Ultraviolet - Annual and
Monthly average sunlight exposure)
Hazards(Toxic Substance Releases Number/Percent of reported acute toxic
substance releases, Pesticide Exposures Number of minor effect illnesses from
exposures)
In addition to the collection of health and
environmental data, NEPHTN also collects
information for product feedback and also from
our recipients for program evaluation and
monitoring using REDCap (Research Electronic
Data Capture-Component). We collect the
recipient’s workplan, program accomplishments
- public health actions (PHA), performance
measures, PHA impact follow up,
communication plan and web stats through
REDCap.
ARMSS will collect information regarding the
request such as location, site, request type,
request medium, what type of work is
requested, number of people affected,
contaminants, public health impact rating,
exposure rating, what status the request is in,
what products or services will be developed for
that request, and the lifecycle stage those
products or services are in.
Examples of data include:
Request (Request Type, Received Type,
Requested Activity, Request Date, Name,
Primary Concern)
Scoping (Scoping Date, Thirty Day Milestone,
Exposure Rating, Public Health Impact Rating,
Prioritization, Primary Contaminant)
Triage (Evidence of Exposure, Is Data
Sufficient, Data Receive Date, Fifteen Day
Milestone, Decision Review Date, Referred to
Agency, Acknowledgment Letter Sent Date)
Activity (Coop Program, Activity Name, Planned
Start Date, Notes, Status, Start Date, Complete
SDX Date)
Site (Name, Description, EPA Facility
Identification, Superfund Number, National
Priorities List Code Identification, Federal
Facility Identification, Address)

PTA - 5A:

Are user credentials used to access the system?

PTA - 5B:

Please identify the type of user credentials used to access the
system.

PTA - 6:

Describe why all types of information is collected (into),
maintained, and/or shared with another system. This description
should specify what information is collected about each category
of individual.

NEPHTN is a portal for collecting and sharing
electronic health and environmental data.
NEPHTN also uses state and national provided
data sets to display various data on the Secure
and Public Portal. Names and business email
addresses are stored in the system.
Tracking collects and stores aggregated data at
State, County and Census Tract Level such as:
Population Health (Populations and
Vulnerabilities - Number/Percent of population
aged 5 with disabilities, Health Impact
Assessment - Estimated number of all-cause
deaths avoided, Lifestyle Risk Factors - Percent
of current, former and smoked).
Health Effects (Asthma - Number and Crude
Rate of Hospitalizations and ED visits, Birth
Defects - Average annual number of cases over
5 year period, Developmental Disabilities Estimated prevalence of autism spectrum
disorder, Childhood Lead Poisoning Number/percent of children tested, Cancer Annual number of cases )
Environment (Air Quality - Number of days
above regulatory standard, Drinking Water Number of water systems by concentration by
chemical, Sunlight & Ultravioloet - Annual and
Monthly average sunlight exposure)
Hazards(Toxic Substance Releases Number/Percent of reported acute toxic
substance releases, Pesticide Exposures Number of minor effect illnesses from
exposures)
In addition to the collection of health and
environmental data, EPHTN also collects
information for product feedback and also from
our recipients for program evaluation and
monitoring using REDCap (Research Electronic
Data Capture). We collect the recipient’s
workplan, program accomplishments - public
health actions (PHA), performance measures,
PHA impact follow up, communication plan and
web stats through REDCap.
ARMSS will collect information regarding the
request such as location, site, request type,
request medium, what type of work is
requested, number of people affected,
contaminants, public health impact rating,
exposure rating, what status the request is in,
what products or services will be developed for
that request, and the lifecycle stage those
products or services are in.
Examples of data include:
Request (Request Type, Received Type,
Requested Activity, Request Date, Name,

Primary Concern)
Scoping (Scoping Date, Thirty Day Milestone,
Exposure Rating, Public Health Impact Rating,
Prioritization, Primary Contaminant)
Triage (Evidence of Exposure, Is Data
Sufficient, Data Receive Date, Fifteen Day
Milestone, Decision Review Date, Referred to
Agency, Acknowledgment Letter Sent Date)
Activity (Coop Program, Activity Name, Planned
Start Date, Notes, Status, Start Date, Complete
SDX Date)
Site (Name, Description, Environmental
Protection Agency (EPA) Facility Identification
Number (ID), Central Registry (CR) Number,
Superfund Number NPL Code ID, Federal
Facility ID, Address)
PTA - 7:

Does the system collect, maintain, use or share PII?

Yes

PTA - 7A:

Does this include Sensitive PII as defined by HHS?

Yes

PTA - 8:

Does the system include a website or online application?

Yes

PTA - 8A:

Are any of the URLs listed accessible by the general public (to
include publicly accessible log in and internet websites/online
applications)?

Yes

PTA - 9:

Describe the purpose of the website, who has access to it, and
how users access the web site (via public URL, log in, etc.).
Please address each element in your response.

https://ephtracking.cdc.gov (PUBLIC PORTAL)
This is the URL used by external users that
uses SAMS for user authentication.
https://ephtsecure.cdc.gov (SECURE PORTAL)
This is the URL used by internal users that uses
AD for authentication.
https://ephtsecure.cdc.gov/MetadataCreationTo
ol/creatorDashboard (Metadata Creation Tool)

PTA - 10:

Does the website have a posted privacy notice?

Yes

PTA - 11:

Does the website contain links to non-federal government
websites external to HHS?

No

PTA - 11A:

Is a disclaimer notice provided to users that follow external links to
websites not owned or operated by HHS?

PTA - 12:

Does the website use web measurement and customization
technology?

PTA - 12A:

Select the type(s) of website measurement and customization
technologies in use and if it is used to collect PII.

PTA - 13:

Does the website have any information or pages directed at
children under the age of thirteen?

No

PTA - 13A:

Does the website collect PII from children under the age thirteen?

No

PTA - 13B:

Is there a unique privacy policy for the website and does the
unique privacy policy address the process for obtaining parental
consent if any information is collected?

PTA - 14:

Does the system have a mobile application?

PTA - 14A:

Is the mobile application HHS developed and managed or a thirdparty application?

No

No

PTA - 15:

Describe the purpose of the mobile application, who has access to
it, and how users access it. Please address each element in your
response.

PTA - 16:

Does the mobile application/ have a privacy notice?

PTA - 17:

Does the mobile application contain links to non-federal
government website external to HHS?

PTA - 17A:

Is a disclaimer notice provided to users that follow external links to
resources not owned or operated by HHS?

PTA - 18:

Does the mobile application use measurement and customization
technology?

PTA - 18A:

Describe the type(s) of measurement and customization
technologies or techniques in use and what information is
collected.

PTA - 19:

Does the mobile application have any information or pages
directed at children under the age of thirteen?

PTA - 19A:

Does the mobile application collect PII from children under the age
thirteen?

PTA - 19B:

Is there a unique privacy policy for the mobile application and
does the unique privacy policy address the process for obtaining
parental consent if any information is collected?

PTA - 20:

Is there a third-party website or application (TPWA) associated
with the system?

No

PTA - 21:

Does this system use artificial intelligence (AI) tools or
technologies?

No

PIA
PIA
PIA - 1:

Indicate the type(s) of personally identifiable information (PII) that
the system will collect, maintain, or share.

Name

PIA - 2:

Indicate the categories of individuals about whom PII is collected,
maintained or shared.

Business Partners/Contacts (Federal, state, local
agencies)

PIA - 3:

Indicate the approximate number of individuals whose PII is
maintained in the system.

201 - 500

PIA - 4:

For what primary purpose is the PII used?

We contact the individuals if we have issues
with their data submissions or to provide status
of events.

PIA - 5:

Describe any secondary uses for which the PII will be used (e.g.
testing, training or research).

NA

PIA - 6:

Describe the function of the SSN and/or Taxpayer ID.

NA

PIA - 6A:

Cite the legal authority to use the SSN.

NA

PIA - 7:

Identify legal authorities, governing information use and disclosure 5 USC, Section 301
specific to the system and program.

PIA - 8:

Are records in the system retrieved by one or more PII data
elements?

PIA - 8A:

Please specify which PII data elements are used to retrieve
records.

PIA - 8B:

Provide the number, title, and URL of the Privacy Act System of
Records Notice (SORN) that is being used to cover the system or
indicate whether a new or revised SORN is in development.

Email Address

No

PIA - 9:

Identify the sources of PII in the system.

Directly from an individual about whom the
information pertains
Online
Government Sources
State/Local/Tribal
No

PIA - 10:

Is there an Office of Management and Budget (OMB) information
collection approval number?

PIA - 10A:

Provide the information collection approval number.

PIA - 10B:

Identify the OMB information collection approval number
expiration date.

PIA - 10C:

Explain why an OMB information collection approval number is not Only Name and Email Address is used, which is
collected from SAMS. CDC only uses the email
required.
address to contact the recipient if there is any
issues with their data submission.

PIA - 11:

Is the PII shared with other organizations outside the system’s
Operating Division?

PIA - 11A:

Identify with whom the PII is shared or disclosed.

PIA - 11B:

Please provide the purpose(s) for the disclosures described in PIA
- 11A.

PIA - 11C:

List any agreements in place that authorize the information
sharing or disclosure (e.g., Computer Matching Agreement (CMA),
Memorandum of Understanding (MOU), or Information Sharing
Agreement (ISA)).

PIA - 11D:

Describe process and procedures for logging/tracking/accounting
for the sharing and/or disclosing of PII. If no process or
procedures are in place, please explain why not.

PIA - 12:

Is the submission of PII by individuals voluntary or mandatory?

PIA - 12A:

If PII submission is mandatory, provide the specific legal
requirement that requires individuals to provide information or face
potential civil or criminal penalties.

PIA - 13:

Describe the method for individuals to opt-out of the collection or
use of their PII. If there is no option to object to the information
collection, provide a reason.

This is the same information that is required
when they request a SAMS user account. There
is no opt-out as this email address serves as a
contact for the data submission. This email
could however be substituted with a generic
contact email for the data submitter. If the
individual does not want to share his or her
business data, then they will not be able to
access this system.

PIA - 14:

Describe the process to notify and obtain consent from the
individuals whose PII is in the system when major changes occur
to the system (e.g., disclosure and/or data uses have changed
since the notice at the time of original collection). Alternatively,
describe why they cannot be notified or have their consent
obtained.

When major changes occur to the system
individuals will be notified by email to obtain
their consent.

PIA - 15:

Describe the process in place to resolve an individual's concerns
when they believe their PII has been inappropriately obtained,
used, or disclosed, or that the PII is inaccurate. If no process
exists, explain why not.

In the event that individuals feel their PII was
obtained inappropriately, or is inaccurate they
should email the Tracking Support mailbox at
[email protected]. Once the request is
received, research will be conducted and
communicated back to the originating party.

No

Voluntary

PIA - 16:

Describe the process in place for periodic reviews of PII contained
in the system to ensure the data's integrity, availability, accuracy
and relevancy. Please address each element in your response. If
no processes are in place, explain why not.

Once a year there will be a check of the SAMS
database and then purge any names and emails
that are no longer active.

PIA - 17:

Identify who will have access to the PII in the system.

Administrators
Developers
Contractors

PIA - 17A:

Select the type of contractor.

HHS/OpDiv Direct Contractors

PIA - 17B:

Do contracts include Federal Acquisition Regulation (FAR) and
other appropriate clauses ensuring adherence to privacy
provisions and practices?

Yes

PIA - 18:

Provide the reason why each of the groups identified in PIA - 17
needs access to PII.

Administrators - May need this information to
contact the data submitter in regards to an
issue.
Developers - PII Information is in the database,
and developers will need access to the
database.
Contractors - CDC direct contractors may need
this information to contact the data submitter in
regards to an issue.

PIA - 19:

Describe the administrative procedures in place to determine
which system users (administrators, developers, contractors, etc.)
may access PII.

The system uses role-based access controls to
ensure administrators and direct contractors are
granted access on a "need-to-know" and "needto-access" commensurate with their assigned
duties.

PIA - 20:

Describe the technical methods in place to allow those with
access to PII to only access the minimum amount of information
necessary to perform their job.

Only System Administrators have access to the
PII in the system. They create new system
users, grant user access and disable accounts.
Therefore they have access to all PII in the
system.

PIA - 21:

Identify the general security and privacy awareness training
provided to system users (system owners, managers, operators,
contractors and/or program managers) using the system to make
them aware of their responsibilities for protecting the information
being collected and maintained.

All system users must complete annual Security
and Privacy Awareness and Training (SAT)

PIA - 22:

Describe training system users receive (above and beyond
general security and privacy awareness training).

None

PIA - 23:

Describe the process and guidelines in place with regard to the
retention and destruction of PII. Cite specific National Archives
and Records Administration (NARA) records retention schedule(s)
and include the retention period(s).

The names and email addresses are based on
a CDC SAMS account. Once per year we
validate that the SAMS account is still valid and
if so we continue to maintain the PII. If the
SAMS account no longer exists or is disabled
the corresponding PII is deleted from NEPHTN.
Per our record management schedule GRS 5.2,
item 020 we dispose when no longer needed.
Disposal methods include erasing computer
tapes, burning or shredding paper materials or
transferring records to the Federal Records
Center when no longer needed for evaluation
and treatment.

PIA - 24:

Describe how the PII will be secured in the system using
administrative, technical, and physical controls. Please address
each element in your response.

Administrative: Records are maintained
according with CDC’s record control schedule
and record control policy. The PII is secured
using the CDC/IS Active Directory
authentication process and role based
application control via RBAC.
Technical: Monitored by the Network and IT
security controls which is administered by Cyber
Security Program Office. In addition, the image
documentation containing PII will be
encrypted.
Physical: Controls are managed by security
guards, ID badges, locked doors, and key card
restrictions.

Review & Comments
Privacy Analyst Review
OpDiv Privacy
Analyst Review
Status:

Approved

Privacy Analyst
Comments:

Privacy Analyst
Review Date:

3/27/2023

Privacy Analyst
Days Open:

SOP Review
SOP Review
Status:

Approved

SOP Comments:

SOP Signature:

JWO Signature.docx

SOP Review
Date:

3/28/2023

SOP Days Open: 6

Agency Privacy Analyst Review
Agency Privacy
Analyst Review
Status:

Agency Privacy
Analyst Review
Date:

4/6/2023

Agency Privacy
Analyst Review
Comments:

Agency Privacy
Analyst Days
Open:

9

SAOP Review
SAOP Review
Status:
SAOP
Comments:

Approved

SAOP Signature:
SAOP Review
Date:
SAOP Days
Open:

4/6/2023

Supporting Document(s)
Name

Size

Type

Upload Date

Downloads

No Records Found

Comments
Question Name

No Records Found

Submitter

Date

Comment

Attachment