Pia

Attachment 5 CC CRSS OCRTME Training Program PIA.pdf

Impact of Clinical Research Training and Medical Education at the Clinical Center on Physician Careers in Academia and Clinical Research (CC)

PIA

OMB: 0925-0602

Document [pdf]
Download: pdf | pdf
1. OPDIV

National Institutes of Health

2. PIA Unique Identifier

P-1110930-742633

2a. Name

CRSS OCRTME Training Program (2021 review)

3. The subject of this PIA is
Minor Application (stand-alone)
which of the following?
3a. Identify the Enterprise
Performance Lifecycle Phase Operational
of the system.
3b. Is this a FISMAReportable system?

No

4. Does the system include a
Website or online
application available to and Yes
for the use of the general
public?
Accept / Reject Status

Undefined

Question 4 Comment
5. Identify the operator.

Agency

6. Point of Contact (POC)
POC Title

System Owner

POC Name

Simmons, Jennifer

POC Organization

NIH/CC/OCRTME

POC Email

[email protected]

POC Phone

301.402.0914

Accept / Reject Status

Undefined

Question 6 Comment
7. Is this a new or existing
system?

Existing

8. Does the system have
Security Authorization
(SA)?

Yes

Accept / Reject Status

Undefined
For Official Use Only (FOUO)

Page 1

Question 8 Comment
8a. Date of Security
Authorization

10/27/2020

9. Indicate the following
reason(s) for updating this
PIA. Choose from the
following options.

PIA Validation (PIA Refresh/Annual Review)

Other
Accept / Reject Status

Undefined

Question 9 Comment

10. Describe in further detail
any changes to the system
A new Graduate Medical Education Survey has been added.
that have occurred since the
last PIA.
Accept / Reject Status

Undefined

Question 10 Comment

11. Describe the purpose of
the system.

The Office of Clinical Research Training and Medical Education
(OCRTME) Training Programs, also known as (aka) Clinical
Research Student (CRS) records system, accepts applications from
medical, dental, veterinary students; residents, and physicians
applying for training programs at the NIH Clinical Center (CC). In
addition to collecting applications, the system generates surveys to
accepted training program students, residents and physicians to
evaluate impact and effectiveness of the training programs.
The OCRTME programs include:
Medical Research Scholars Program
Graduate Medical Education
Clinical Electives Program
Resident Electives Program
Clinical Research Training Program and Medical Research Scholars
Program (CRTP/MRSP) Alumni Survey
Graduate Medical Education Alumni Survey

For Official Use Only (FOUO)

Page 2

Accept / Reject Status

Undefined

Question 11 Comment
The personally identifiable information (PII) collected includes
name, personal mailing address, personal phone number, personal
email address, educational records, and employment status. In
addition, applicants submit:
Educational information including educational institutions attended,
transcripts, test scores
Professional information including current profession, current
Curriculum Vitae (CV), citizenship status
References

12. Describe the type of
information the system will
collect, maintain (store), or
share. (Subsequent questions
will identify if this
information is PII and ask
about the specific data
elements.)

The information is used to process applicants for training programs
sponsored by various Institutes and Centers (ICs) within the NIH.
The information is submitted voluntarily by medical/dental students
or physicians and is collected to determine the suitability of
applicants for NIH clinical research training programs.
Those requiring access to OCRTME Training Program log in using
the NIH Identity, Credential, and Access Management (ICAM)
Services which maintains its own unique privacy impact assessment
(PIA) on record, including all legal authorities documented. The
purpose of the ICAM is to authenticate and authorize all users and
computers in a Windows domain type network; assigning and
enforcing information security policies for all computers and
installing or updating software. The ICAM collects unique user
names and passwords (user credentials) and stores them in an
encrypted format. The ICAM is an essential service which
facilitates and governs network access to various resources.
Individuals applying to the training programs are guided through the
process for application on the OCRTME website An active link to
each training program inlcudes the program's application and
program requirements. Applicants do not have access to the
information once it's submitted. If an update is needed, they email
the support address and work with the support team.

Accept / Reject Status

Undefined

Question 12 Comment
13. Provide an overview of
the system and describe the
information it will collect,

The OCRTME Training Program accepts applications from medical,
dental, veterinary students; residents, and physicians applying for
training programs at the NIH Clinical Center (CC).
For Official Use Only (FOUO)

Page 3

maintain (store), or share,
either permanently or
temporarily.

The OCRTME programs include:
Medical Research Scholars Program
Graduate Medical Education
Clinical Electives Program
Resident Electives Program
Clinical Research Training Program and Medical Research Scholars
Program (CRTP/MRSP) Alumni Survey
Graduate Medical Education Alumni Survey
The personally identifiable information (PII) collected includes
name, personal mailing address, personal phone number, personal
email address, educational records, and employment status. In
addition, applicants submit:
Educational information including educational institutions attended,
transcripts, test scores
Professional information: current profession, current CV, citizenship
status
References
The information is used to process applicants for training programs
sponsored by various ICs within the NIH. The information is
submitted voluntarily by medical/dental students or physicians and is
collected to determine the suitability of applicants for NIH clinical
research training program. The information is shared with NIH
training program administrators and selecting officials.
Those requiring access to OCRTME Training Program log in using
the NIH ICAM Services which maintains its own unique PIA on
record, including all legal authorities documented.
Individuals applying to the training programs submit their forms via
the web link on the OCRTME external websites. Applicants do not
have access to the information once it's submitted. If an update is
needed, they email the support address and work with the support
team.

Accept / Reject Status

Undefined

Question 13 Comment
14. Does the system collect,
Yes
maintain, use or share PII?
Accept / Reject Status

Undefined

Question 14 Comment

For Official Use Only (FOUO)

Page 4

15. Indicate the type of PII
that the system will collect
or maintain.

Name, E-Mail Address, Phone Numbers, Education Records, Mailing
Address
ECurrent CV, citizenship status
References

Accept / Reject Status

Undefined

Question 15 Comment
16. Indicate the categories of
individuals about whom PII
Employees, Public Citizens
is collected, maintained or
shared.
Accept / Reject Status

Undefined

Question 16 Comment
17. How many individuals'
PII is in the system?

10,000-49,999

Accept / Reject Status

Undefined

Question 17 Comment

18. For what primary
purpose is the PII used?

For evaluation and selection of participants for medical education
and research training programs, and to evaluate the effectiveness /
outcome of NIH clinical research training programs.

Accept / Reject Status

Undefined

Question 18 Comment
19. Describe the secondary
uses for which the PII will
be used (e.g. testing, training
or research)

The information collected is used to validate the compliance of
graduate medical education training programs sponsored by the
Clinical Center with the requirements of external accrediting
organizations, specifically the Accreditation Council for Graduate
For Official Use Only (FOUO)

Page 5

Medical Education.
Accept / Reject Status

Undefined

Question 19 Comment
Social Security Number (SSN) is not collected. It is acknowledged
20. Describe the function of that SSN may appear on transcripts uploaded by the applicant. This
the SSN.
collection would be unsolicited and incidental. The SSN is never
used to consider an applicant.
Accept / Reject Status

Undefined

Question 20 Comment
20a. Cite the legal authority
SSN is not collected.
to use the SSN.
21. Identify legal authorities
governing information use
42 USC 241, 263, 282
and disclosure specific to the
system and program.
22. Are records on the
system retrieved by one or
more PII data elements?

Yes

Accept / Reject Status

Undefined

Question 22 Comment

22a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:

09-25-0014, Clinical Research: Student Records,
HHS/NIH/OD/OIR/OE

Published:
Published:
In Progress

No

23. Identify the sources of
PII in the system.

In-Person, Hard Copy: Mail/Fax, Email, Online, Members of the
Public

Accept / Reject Status

Undefined
For Official Use Only (FOUO)

Page 6

Question 23 Comment
23a. Identify the OMB
information collection
approval number and
expiration date.

OMB Number: 0925-0698 (Application Process for Clinical
Research Training and Medical Education at the Clinical Center and
its impact on Course and Training Program Enrollment and
Effectiveness)

24. Is the PII shared with
other organizations?

Yes

Accept / Reject Status

Undefined

Question 24 Comment

24a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS

Yes
Applicant names within the system may be shared with NIH training
programs.

Other Federal
Agency/Agencies

No

State or Local
Agency/Agencies

No

Private Sector

Yes
Names of past participants of some training programs may be listed
on the OCRTME and Foundation of NIH external facing websites
after obtaining consent and permission from the participants.
Two third-party web application providers, under the direction of the
Executive Director for Graduate Medical Education, provide online
course registration functionality for NIH training programs and
conduct Alumni tracking surveys for graduates of the NIH training
programs, all sites hosted at NIH. The contractor may have incidental
access to the PII when performing regular troubleshooting work and
security maintenance.

24b. Describe any
agreements in place that
authorizes the information
sharing or disclosure (e.g.
Computer Matching

There are no Memorandums of Understanding (MOUs) or
Information Sharing Agreement (ISAs) for this system. The thirdparty web-application provider contracts stipulate that New
Innovations and Digital Infuzion must follow all requirements in the
Security and Privacy Language for Information and Information
For Official Use Only (FOUO)

Page 7

Agreement, Memorandum of Technology Procurements and NIH Information Security Policy
Understanding (MOU), or
Handbook.
Information Sharing
Agreement (ISA)).
24c. Describe the procedures
N/A
for accounting for
Data is not shared outside of HHS.
disclosures.
25. Describe the process in
place to notify individuals
that their personal
information will be
collected. If no prior notice
is given, explain the reason.

Individuals self-select for application and make the affirmative action
to visit the NIH website(s) in question. Applicants are notified at the
website where data is collected that submission of information is
voluntary but necessary for program application and consideration.

Accept / Reject Status

Undefined

Question 25 Comment
26. Is the submission of PII
by individuals voluntary or
mandatory?

Voluntary

Accept / Reject Status

Undefined

Question 26 Comment
27. Describe the method for
individuals to opt-out of the
collection or use of their PII.
Individuals may opt out by not applying to the program.
If there is no option to object
to the information collection,
provide a reason.
Accept / Reject Status

Undefined

Question 27 Comment
28. Describe the process to
notify and obtain consent
from the individuals whose
PII is in the system when
major changes occur to the
system (e.g., disclosure

No changes to the OCRTME program are likely to occur. If a change
were to occur, applicant data would then be used to notify and obtain
consent from applicants for any new use.

For Official Use Only (FOUO)

Page 8

and/or data uses have
changed since the notice at
the time of original
collection). Alternatively,
describe why they cannot be
notified or have their consent
obtained.
Accept / Reject Status

Undefined

Question 28 Comment
29. Describe the process in
place to resolve an
individual's concerns when
they believe their PII has
been inappropriately
obtained, used, or disclosed,
or that the PII is inaccurate.
If no process exists, explain
why not.

A Privacy Rights Complaint Form is available to individuals when
they believe that their PII has been inappropriately used or disclosed.
The Clinical Center's Privacy Office will review the complaint and
respond to the concern within 30 business days. Complaints could
also be submitted to the System Manager, who would investigate and
share findings with CC Information Systems Security Officer (ISSO)
and CC Privacy Officer.

Accept / Reject Status

Undefined

Question 29 Comment
30. Describe the process in
place for periodic reviews of
PII contained in the system
to ensure the data's integrity,
availability, accuracy and
relevancy. If no processes
are in place, explain why
not.

The system owner regularly reviews and analyzes audit records for
indications of inappropriate or unusual activity, investigates
suspicious activity or suspected violations, reports findings to
appropriate officials, and takes necessary actions (such as reporting
security violations).

Accept / Reject Status

Undefined

Question 30 Comment
31. Identify who will have access to the PII in the system and the reason why they require access.
Users

Yes
OCRTME Users have access to PII in order to screen program
applicants.

Administrators

Yes
For Official Use Only (FOUO)

Page 9

Administrators may have incidental access to an applicant's PII
during the performance of administrative functions.
Developers

Yes
Developers may have incidental exposure to PII when performing
security updates and troubleshooting reported incidents.

Contractors

Yes
Users or administrators may be direct contractors

Others

Yes
The web application providers (New Innovations and Digital
Infuzion) may have incidental access to the PII when performing
regular troubleshooting work and security maintenance.

32. Describe the procedures
in place to determine which
system users (administrators,
developers, contractors, etc.)
may access PII.

Access to PII is assigned based upon job roles/responsibilities. An
NIH ICAM account login is required to gain access to the stored PII
data. The access rights of the user account determine file system
permissions and whether PII may be accessed.

Accept / Reject Status

Undefined

Question 32 Comment
Appropriate access is granted to the system based on predefined roles
33. Describe the methods in and job descriptions, and administrative access is limited to
place to allow those with
authorized employees based on current roles. Dual factor
access to PII to only access authentication with NIH Personal Identity Verification (PIV) card
the minimum amount of
and NIH ICAM will occur at time of login to the NIH Network.
information necessary to
System owners are responsible for creating the proper security
perform their job.
groups within their systems with the applicable permissions for group
members to enforce least privilege.
Accept / Reject Status

Undefined

Question 33 Comment
34. Identify training and
awareness provided to
personnel (system owners,
managers, operators,
contractors and/or program
managers) using the system
to make them aware of their
responsibilities for
protecting the information
being collected and

According to NIH policy, all personnel who use NIH applications
must complete security awareness training every year. There are
five categories of mandatory information technology (IT) training
(Information Security, Counterintelligence, Privacy Awareness,
Records Management and Emergency Preparedness).
Administrators and Privileged Users require additional training
specific to their roles and responsibilities.

For Official Use Only (FOUO)

Page 10

maintained.
Accept / Reject Status

Undefined

Question 34 Comment
35. Describe training system
users receive (above and
Application specific one-on-one peer training is provided as needed.
beyond general security and
privacy awareness training).
Accept / Reject Status

Undefined

Question 35 Comment
36. Do contracts include
Federal Acquisition
Regulation and other
Yes
appropriate clauses ensuring
adherence to privacy
provisions and practices?
Accept / Reject Status

Undefined

Question 36 Comment

37. Describe the process and
guidelines in place with
regard to the retention and
destruction of PII. Cite
specific records retention
schedules.
Accept / Reject Status

Records are retained and disposed of under the authority of the NIH
Records Retention Schedule 06-601 Non-mission employee training
program records.
Destroy when 3 years old, or 3 years after superseded or obsolete,
whichever is appropriate, but longer retention is authorized if
required for business use. DAA-GRS-2016-0014-0001
Undefined

Question 37 Comment

38. Describe, briefly but
with specificity, how the PII
will be secured in the system
using administrative,
technical, and physical
controls.

Physical Controls: The IT hardware used to host protected
information is located in a secured datacenter facility. The facility is
only open to authorized personnel whose access is monitored by
locking doors with badge readers for both ingress and egress. Each
discrete ingress and egress event is logged. The facility is under 24hour surveillance by facilities security for security and environmental
hazards.
For Official Use Only (FOUO)

Page 11

Technical Controls: IT hardware and software is segregated from
default commodity public networks to prevent unauthorized or
malicious access. Access controls lists and event logs are maintained
and monitored to detect unauthorized, suspicious or malicious
activity. Access lists are restricted to approved IT technical
personnel. Two factor authentication must be used for access. File
integrity and auditing software are employed on hardware.
Administrative Controls: All technical personnel who access IT
systems which contain protected information have met background
investigation criteria for Public Trust positions. All personnel have
taken mandatory security and privacy training classes and annual
refreshers. Administrative personnel accessing these systems use
privileged and separate accounts for administrative access.
Accept / Reject Status

Undefined

Question 38 Comment

39. Identify the publiclyavailable URL.

https://ocrtmeapps.cc.nih.gov/mrsp
https://ocrtmeapps.cc.nih.gov/gme
https://ocrtmeapps.cc.nih.gov/rep/
https://ocrtmeapps.cc.nih.gov/survey

Accept / Reject Status

Undefined

Question 39 Comment
40. Does the website have a
Yes
posted privacy notice?
Accept / Reject Status

Undefined

Question 40 Comment

40a. Is the privacy policy
available in a machinereadable format?

Yes

41. Does the website use

Yes
For Official Use Only (FOUO)

Page 12

web measurement and
customization technology?
Accept / Reject Status

Undefined

Question 41 Comment

41a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII. (Select all that apply).
Web Beacons

No

Collects PII?

No

Web Bugs

No

Collects PII?

No

Session Cookies

Yes

Collects PII?

No

Persistent Cookies

No

Collects PII?

No

Other ...
Collects PII?

No

42. Does the website have
any information or pages
No
directed at children under the
age of thirteen?
Accept / Reject Status

Undefined

Question 42 Comment

42a. Is there a unique
privacy policy for the
website, and does the unique
privacy policy address the
Undefined
process for obtaining
parental consent if any
information is collected?
43. Does the website contain No
For Official Use Only (FOUO)

Page 13

links to non-federal
government websites
external to HHS?
Accept / Reject Status

Undefined

Question 43 Comment

43a. Is a disclaimer notice
provided to users that follow
Undefined
external links to websites not
owned or operated by HHS?

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
Undefined
accurately, and completely?
Reviewer Notes
Accept / Reject Status

Undefined

Question 1 Comment
2. Does the PIA
appropriately communicate
the purpose of PII in the
Undefined
system and is the purpose
justified by appropriate legal
authorities?
Reviewer Notes
Accept / Reject Status

Undefined

Question 2 Comment
3. Do system owners
demonstrate appropriate
Undefined
understanding of the impact
For Official Use Only (FOUO)

Page 14

of the PII in the system and
provide sufficient oversight
to employees and
contractors?
Reviewer Notes
Accept / Reject Status

Undefined

Question 3 Comment
4. Does the PIA
appropriately describe the
PII quality and integrity of
the data?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Question 4 Comment
5. Is this a candidate for PII
minimization?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Question 5 Comment
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Question 6 Comment
7. Are the individuals whose
PII is in the system provided Undefined
appropriate participation?
Reviewer Notes
For Official Use Only (FOUO)

Page 15

Accept / Reject Status

Undefined

Question 7 Comment
8. Does the PIA raise any
concerns about the security
of the PII?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Accept / Reject Status

Undefined

Question 8 Comment
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need to
be?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined

Accept / Reject Status

Undefined

Question 9 Comment
10. Is the PII appropriately
limited for use internally and Undefined
with third parties?
Reviewer Notes
Accept / Reject Status

Undefined

Question 10 Comment
11. Does the PIA
demonstrate compliance
with all Web privacy
requirements?

Undefined

Reviewer Notes
Accept / Reject Status

Undefined
For Official Use Only (FOUO)

Page 16

Question 11 Comment
12. Were any changes made
to the system because of the Undefined
completion of this PIA?
Reviewer Notes
Accept / Reject Status

Undefined

Question 12 Comment

General Comments

This component is under Clinical Research Support Services (CRSS),
whose Universal Unique Identifier (UUID) is: 3E9D85ED-26F64A33-BEED-6B60B945A54C.

Status and Approvals
IC Status

IC Approved

OSOP Status

HHS Approved

OPDIV Senior Official for
Privacy Signature
HHS Senior Agency Official
for Privacy

For Official Use Only (FOUO)

Page 17


File Typeapplication/pdf
AuthorMartin, Susan (NIH/CC/DCRI) [C]
File Modified2024-06-18
File Created2024-06-18

© 2024 OMB.report | Privacy Policy