Download:
pdf |
pdfNICHD Privacy Impact Assessment (PIA)
The following required questions represent the information necessary to complete the PIA Summary for
transmission to the Office of Management and Budget (OMB) and public posting in accordance with OMB
Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the
system hosts a website, the Website Hosting Practices section is required to be completed regardless of the
presence of personally identifiable information (PII). If no PII is contained in the system, please answer the
related questions accordingly and then promote the PIA to the Senior Official for Privacy who will authorize the
PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to
signature and promotion. Answers should be written using plain language. Spell out all acronyms at first use
(except HHS and NIH).
System Information
System Name
NICHD Data and Specimen Hub
System Acronym
NICHD DASH
Contract Number
GS00F029DA
For Official Use Only (FOUO)
Page 1
Privacy Impact Assessment
1. OPDIV
NIH
2. PIA Unique Identifier
P-9979169-864809
a. System Name
NICHD Data and Specimen Hub
☐
☒
☐
☐
☐
☐
3. The subject of this PIA is
which of the following?
a. Identify the
Enterprise
Performance
Lifecycle Phase of
the system.
b. Is this a FISMAReportable system?
Select One:
General Support System (GSS)
Major Application
Minor Application (stand-alone)
Minor Application (child)
Electronic Information Collection
Unknown
Select One:
☐
☐
☐
☐
☐
Initiation
Concept
Planning
Requirements Analysis
Design
☐
☐
☐
☒
☐
Development
Test
Implementation
Operations and Maintenance
Disposition
☐ Yes
☒ No
4. Does the system include
a Website or online
application available to
and for the use of the
general public?
☒ Yes
☐ No
5. Identify the operator
Select One: ☒ Agency ☐ Contractor
6. Point of Contact (POC)
a. POC Title
Rebecca Rosen
b. POC Name
NICHD DASH System Owner
c. POC Organization
Eunice Kennedy Shriver National Institute of Child Health and
Human Development (NICHD)
NICHD/OD/ODSS
d. POC Email
[email protected]
e. POC Phone
(240) 447-7723
7. Is this a new or existing
system?
☐ New
☒ Existing
8. Does the system have
Security Authorization
(SA)?
☒ Yes
☐ No
For Official Use Only (FOUO)
Page 2
a. Date of Security
Authorization
9. Indicate the following
reason(s) for updating
this PIA. Choose from
the following options.
6/11/2020
☒
☐
☐
☐
☐
☐
☐
☐
☐
Select All that Apply:
PIA Validation (PIA Refresh/Annual Review)
Anonymous to Non-Anonymous
New Public Access
Internal Flow or Collection
Commercial Sources
Significant System Management Change
Alteration in Character of Data
New Interagency Uses
Conversion
10. Describe in further detail
any changes to the
system that have
NICHD DASH has a new 2023 Authorization to Operate
occurred since the last
PIA.
11. Describe the purpose of
the system.
The Eunice Kennedy Shriver National Institute of Child Health and
Human Development (NICHD) Data and Specimen Hub (NICHD
DASH) is a centralized resource for researchers to store deidentified data and to access data and associated biospecimens
from NICHD supported studies for use in secondary research. It
serves as a mechanism for NICHD-funded extramural and
intramural investigators to share de-identified research data from
studies in accordance with the NIH Data Management and
Sharing Policy. By supporting data sharing through NICHD
DASH, NICHD aims to accelerate scientific findings and
improve human health.
For Official Use Only (FOUO)
Page 3
12. Describe the type of
information the system
will collect, maintain
(store), or share.
(Subsequent questions
will identify if this
information is PII and
ask about the specific
data elements.)
The system collects and maintains personal information (Name,
Position, Institution, Division, email address, phone number and
password) from individuals registering to create accounts in the
system.
The Eunice Kennedy Shriver National Institute of Child Health and
Human Development (NICHD) Data and Specimen Hub (NICHD
DASH) is a centralized resource for researchers to store deidentified data and to access data and associated biospecimens
from NICHD supported studies for use in secondary research. It
13. Provide an overview of
serves as a mechanism for NICHD-funded extramural and
the system and describe
intramural investigators to share de-identified research data from
the information it will
studies in accordance with the NIH Data Management and
collect, maintain (store),
Sharing Policy. By supporting data sharing through NICHD
or share, either
DASH, NICHD aims to accelerate scientific findings and
permanently or
improve human health.
temporarily. This is a
summary/copy of Q12.
The system collects and maintains personal information (Name,
Position, Institution, Division, email address, phone number and
password) from individuals registering to create accounts in the
system.
14. Does the system collect,
maintain, use or share
PII?
☒ Yes
☐ No
Select All that Apply:
15. Indicate the type of PII
that the system will
collect or maintain.
16. Indicate the categories of
individuals about whom
☐
☒
☐
☐
☒
☒
☐
☐
☐
☐
☐
☐
Social Security Number
Name
Driver License Number
Mother Maiden Name
E-Mail Address
Phone Number
Medical Notes
Certificates
Education Records
Military Status
Foreign Activities
Taxpayer ID
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Date of Birth
Photographic Identifiers
Biometric Identifiers
Vehicle Identifiers
Mailing Address
Medical Records Number
Financial Account Info
Legal Documents
Device Identifiers
Employment Status
Passport Number
Select All that Apply:
For Official Use Only (FOUO)
Page 4
PII is collected,
maintained or shared.
☐ Employees
☐ Vendors/Suppliers/Contractors
☐ Public Citizens
☐ Patients
☐ Business Partners/Contacts
(Federal, State, and Local
Agencies)
Select One:
17. How many individuals'
PII is in the system?
18. For what primary
purpose is the PII used?
☐
☐
☒
☐
Less than 100
100-499
500-4,999
5,000-9,999
☐
☐
☐
☐
10,000-49,999
50,000-99,999
100,000-999,999
1,000,000 or more
To identify and authenticate access and communicate with
individuals submitting data or requesting data and biospecimens.
19. Describe the secondary
uses for which the PII
Application Administrator will use email addresses or names to
will be used (e.g. testing,
inform users of updates and request approvals.
training or research)
20. Describe the function of
N/A
the SSN.
a. Cite the legal
authority to use the
SSN.
N/A
21. Identify legal authorities
United States Congress, Public Health Service Act 42 U.S.C. Section
governing information
241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f,
use and disclosure
285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287,
specific to the system
287b, 287c, 289a, 289c, and; 44 U.S.C. Section 310l
and program.
22. Are records on the
system retrieved by one
or more PII data
elements? If Yes, a
SORN is needed and you
must complete 22a.
☒ Yes
☐ No
a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:
09-25-0200 Clinical, Basic and Population based Research Studies of
the National Institutes of Health (NIH)
Published:
Click here to enter text.
Published:
Click here to enter text.
In Progress
☐ Yes
☐ No
Select All that Apply:
For Official Use Only (FOUO)
Page 5
Directly from
Individual:
23. Identify the sources of
PII in the system.
a. Identify the OMB
information
collection approval
number and
expiration date.
24. Is the PII shared with
other organizations?
☐ In-Person
☐ Hard Copy:
Mail/Fax
☐ Email
☒ Online
☐ Other
Government
Sources:
Non-Government
Sources:
☒ Within OPDIV
☐ Other HHS
OPDIV
☐ State/Local/Tribal
☐ Foreign
☐ Other Federal
Entities
☐ Other
☒ Members of the
Public
☐ Commercial Data
Broker
☐ Private Sector
☐ Other
The OMB Control Number is 0925-0744 and the expiration date is
06/30/2024.
☐ Yes
☒ No
a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS
☐ Yes ☐ No
Purpose: Click here to enter text.
Other Federal
Agency/Agencies
☐ Yes ☐ No
State or Local
Agency/Agencies
☐ Yes ☐ No
Private Sector
Purpose: Click here to enter text.
Purpose: Click here to enter text.
☐ Yes ☐ No
Purpose: Click here to enter text.
b. Describe any
agreements in place
that authorizes the
information sharing
or disclosure (e.g.
Computer Matching
Agreement,
Memorandum of
Understanding
(MOU), or
Information Sharing
Agreement (ISA)).
Click here to enter text.
c. Describe the
procedures for
accounting for
disclosures.
Click here to enter text.
For Official Use Only (FOUO)
Page 6
25. Describe the process in
place to notify
individuals that their
Individuals are displayed a warning banner regarding privacy and
personal information will
security on the login page. The users of the system are also
be collected. If no prior
displayed the DASH User Agreement during registration.
notice is given, explain
the reason.
26. Is the submission of PII
by individuals voluntary
or mandatory?
☒ Voluntary
☐ Mandatory
27. Describe the method for
individuals to opt-out of
the collection or use of
their PII. If there is no
option to object to the
information collection,
provide a reason.
The collection of information is required for the creation of an
account and there is no opt-out option. Individuals may browse
or search studies without creating an account. However, in order
to request data and biospecimen and to submit data, they must
enter their information and create an account.
28. Describe the process to
notify and obtain consent
from the individuals
whose PII is in the
system when major
Major system changes are conveyed to registered users through
changes occur to the
emails from [email protected]. A Quarterly Update
system (e.g., disclosure
email notifies users of major system changes and is sent to
and/or data uses have
registered users who have not opted out of the update email.
changed since the notice
Individual users are emailed from SupportDASH if a change
at the time of original
occurs that impacts their specific data/biospecimen request or
collection).
submission.
Alternatively, describe
why they cannot be
notified or have their
consent obtained.
29. Describe the process in
place to resolve an
If an individual has a concern that their PII has been inappropriately
individual's concerns
obtained, used, or disclosed, they may contact the System
when they believe their
Administrator at [email protected]. This email
PII has been
address is provided throughout the system. They may also
inappropriately obtained,
contact DASH through the Feedback button to share a concern.
used, or disclosed, or that
The concern will be investigated and addressed by our
the PII is inaccurate. If
development team.
no process exists, explain
why not.
For Official Use Only (FOUO)
Page 7
30. Describe the process in
place for periodic
Individuals have access to their profile in the system and can make
reviews of PII contained
any changes needed to their personally identifiable information
in the system to ensure
(PII) through the profile page. Accuracy is tested quarterly
the data's integrity,
through the responses to the Quarterly Update email. Accounts
availability, accuracy,
that are “undeliverable” or with automated responses indicating
and relevancy. If no
they are no longer with their original institution are updated
processes are in place,
accordingly.
explain why not.
31. Identify who will have access to the PII in the system and the reason why they require access.
Users
☒ Yes ☐ No
Reason: Users can review and update their PII in the system.
☒ Yes ☐ No
Administrators
Reason: To resolve account queries or disputes, or to assist with
password resets or updates and email registered users as
necessary.
☒ Yes ☐ No
Developers
Reason: To investigate and resolve user issues when requested by
the user.
☒ Yes ☐ No
Contractors
Others
Reason: Users, Administrators and Developers may all be direct
contractors.
☐ Yes ☐ No
Reason: Click here to enter text.
32. Describe the procedures
in place to determine
The principles of least privileged access are applied. The system uses
which system users
roles and each role has different access levels. Default role has
(administrators,
least privilege. Approval by system administrator is needed to
developers, contractors,
change role.
etc.) may access PII.
33. Describe the methods in
place to allow those with
The principles of least privileged access are applied. The system uses
access to PII to only
roles and each role has different access levels. Default role has
access the minimum
least privilege. Approval by system administrator is needed to
amount of information
change role.
necessary to perform
their job.
For Official Use Only (FOUO)
Page 8
34. Identify training and
awareness provided to
personnel (system
owners, managers,
operators, contractors
and/or program
managers) using the
system to make them
aware of their
responsibilities for
protecting the
information being
collected and
maintained.
The NIH Security Awareness Training course is used to satisfy this
requirement. According to NIH policy, all personnel who use
NIH applications must complete security awareness training
every year. There are five categories of mandatory IT training
(Information Security, Counterintelligence, Privacy Awareness,
Records Management and Emergency Preparedness).
35. Describe training system
users receive (above and
System owners, managers, and operators are also required to take
beyond general security
role-based training.
and privacy awareness
training).
36. Do contracts include
Federal Acquisition
Regulation and other
appropriate clauses
ensuring adherence to
privacy provisions and
practices?
☒ Yes
☐ No
37. Describe the process and
The records schedule item 01-003: Records of All Other Intramural
guidelines in place with
Research Projects. Disposition: Cut off annually at termination of
regard to the retention
project/program or when no longer needed for scientific
and destruction of PII.
reference, whichever is longer. Destroy 7 years after cutoff
Cite specific records
(DAA-0443-2012-0007-0003).
retention schedules.
Administrative controls: Restricted access to only authorized
38. Describe, briefly but
administrators of the system. Only application administrator user
with specificity, how the
role may perform those actions.
PII will be secured in the Technical controls: Access is provided only to Developers, System
system using
Administrators through a Virtual Private Network (VPN)
administrative, technical,
connection using multi-factor authentication.
and physical controls.
Physical controls: Access to physical systems are restricted by the
system's Cloud Service Provide (CSP) Amazon Web Services.
39. Identify the publiclyavailable URL.
40. Does the website have a
posted privacy notice?
https://dash.nichd.nih.gov/
☒ Yes
☐ No
For Official Use Only (FOUO)
Page 9
a. Is the privacy policy
available in a
machine-readable
format?
41. Does the website use
web measurement and
customization
technology?
☒ Yes
☐ No
☒ Yes
☐ No
a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII.
Web Beacons
Web Bugs
Session Cookies
Persistent Cookies
Other...
In Use: ☒ Yes ☐ No
Collects PII: ☐ Yes ☒ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
42. Does the website have
any information or pages
directed at children
under the age of thirteen?
☐ Yes
☒ No
a. Is there a unique
privacy policy for the
website, and does the
unique privacy policy
address the process
for obtaining parental
consent if any
information is
collected?
☐ Yes
☐ No
43. Does the website contain
links to non-federal
government websites
external to HHS?
☐ Yes
☒ No
For Official Use Only (FOUO)
Page 10
a. Is a disclaimer notice
provided to users that
follow external links
to websites not
owned or operated by
HHS?
☐ Yes
☐ No
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
accurately, and
completely?
2. Does the PIA
appropriately
communicate the
purpose of PII in the
system and is the
purpose justified by
appropriate legal
authorities?
3. Do system owners
demonstrate appropriate
understanding of the
impact of the PII in the
system and provide
sufficient oversight to
employees and
contractors?
4. Does the PIA
appropriately describe
the PII quality and
integrity of the data?
5. Is this a candidate for PII
minimization?
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?
7. Are the individuals
whose PII is in the
system provided
appropriate
participation?
For Official Use Only (FOUO)
Page 11
8. Does the PIA raise any
concerns about the
security of the PII?
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need
to be?
10. Is the PII appropriately
limited for use internally
and with third parties?
11. Does the PIA
demonstrate compliance
with all Web privacy
requirements?
12. Were any changes made
to the system because of
the completion of this
PIA?
For Official Use Only (FOUO)
Page 12
Status and Approvals
IC Status
☒ Approved ☐ Rejected
IC Signature (ISSO)
Aubrey G. Callwood -S
For Official Use Only (FOUO)
Digitally signed by Aubrey G. Callwood -S
Date: 2023.06.15 10:38:38 -04'00'
Page 13
File Type | application/pdf |
Author | Beltran, Luis (NIH/CIT) [C] |
File Modified | 2023-06-15 |
File Created | 2023-06-06 |