Privacy Act Checklist

Privacy Checklist_Diabetes Prevention Recognition Program (DPRP) Standards_09-27-23.docx

[NCCDPHP] CDC Diabetes Prevention Recognition Program (DPRP)

Privacy Act Checklist

OMB: 0920-0909

Document [docx]
Download: docx | pdf

PRIVACY CHECKLIST


CDC’s National Diabetes Prevention Program (National DPP) Diabetes Prevention Recognition Program (DPRP) Standards


Revision

OMB No. 0920-0909


Does the data collection involve collecting sensitive or personally identifiable information?


Respondents to this information collection request will be National Diabetes Prevention Program’s (National DPP’s) Diabetes Prevention Recognition Program (DPRP) organizational-level directors and managers, and delivery site-level program coordinators and lifestyle coaches. These are organizations offering CDC’s yearlong, evidence-based lifestyle change program to prevent or delay type 2 diabetes. CDC will not receive any Personally Identifiable Information (PII) from individual participants who enrolled in CDC-recognized organizations delivering the National DPP lifestyle change program. Although CDC knows the names of the organizations and affiliate delivery sites, electronic responses will not be directly linked to actual program participants. The application and evaluation forms do not collect participants’ PII.


The organizations participating in the CDC’s DPRP will follow the 2024 DPRP Standards and Operating Procedures (DPRP Standards) to assign each participant a unique, de-identified “Participant ID” to track participants across sessions. CDC’s DPRP Standards expressly state, “The Participant ID should not be based on social security number or other PII.”


CDC will collect information from one type of respondent:


CDC-recognized DPRP Organizations: Each organization applying as a CDC-recognized organization must submit contact information, including the organization’s name as well as the job title, and e-mail address of employees designated to serve as a program director/manager, program coordinator, or data preparer. CDC will use this information to generate an organizational profile and provide unique organization IDs for authorized staff. Although the organization’s profile will include organizational contact and e-mail addresses, the information is not considered personal or private in nature, as it can easily be obtained via public web searches. The organizations will report on DPRP Standards-related evaluation data elements at the participant level in a de-identified manner, issuing each participant with a unique Participant ID. Organizations will not submit any individual participant information with PII to CDC.


Additionally, CDC will use a de-identified National Provider Identifier (NPI) as the Coach ID for coaches registered to deliver the Centers for Medicare & Medicaid Services (CMS)’s Medicare Diabetes Prevention Program (MDPP). Although the lifestyle coach profiles will include their organizational email addresses for the sole purpose of communication and system login for data entry, the information is not considered personal or private in nature, as it can easily be obtained via public web searches. CDC does not collect any other PII regarding lifestyle coaches and will not share their organizational email addresses.


Describe how personal information will be maintained, and who will have access.


CDC-recognized Organization Data: CDC will maintain the organization contact PII (business e-mail addresses of assigned staff; such as program coordinators, lifestyle coaches, and data preparers) in password-protected files in a secure facility. Only authorized CDC staff, and CDC-recognized organizational staff will have access to their own organization-level data.


CDC-recognized Organization Participant-level Data: The CDC-recognized organizations, including at all delivery sites where applicable, will generate, assign, and maintain a coded identification number for each participant enrolled in their CDC-recognized lifestyle change programs. They will transmit only de-identified, coded, participant-level information to CDC. CDC will not receive or store specific names of participants and will not attempt to identify individuals by data linkages involving demographic, geographic, or outcome information. CDC will not contact individual participants or disclose any individual participant-level data.


CDC will use only de-identified participant data elements to monitor the fidelity and effectiveness of CDC-recognized organizations offering the National DPP lifestyle change program; to award CDC recognition to those organizations achieving fidelity to the DPRP Standards; to inform key National DPP stakeholders of aggregate program performance and outcomes; and to provide data-driven technical assistance to CDC-recognized organizations and priority populations served by the National DPP. CDC recognition is pivotal to an organization's ability to ensure effective program delivery and bill private and public health insurers, and for continued MDPP implementation.

State how long the sensitive or personal information will be maintained. This information is crucial. If sensitive information is maintained for even one day, the Privacy Act will apply and we will have to provide language in the clearance package.


CDC will not maintain any sensitive or personal PII participant-level information. CDC will store de-identified data for CDC-recognized organizations in password-protected files in a secure facility. CDC has maintained protected files since 2011 for organizations delivery sites and will continue to do so indefinitely.


Will identifiable information be filed and retrieved by the name of the individual?


No PII, directly or indirectly identifiable, on participants will be transmitted to CDC. Participants will not be named. They will be assigned de-identified participant IDs at the participating organization-level. The DPRP Data Poral will incorporate standard procedures for checking the format and for validating the content of evaluation data submissions upon receipt. CDC will not accept any evaluation data that does not conform to the specified format or includes any PII. If a CDC-recognized organization sends this type of information in error, CDC will return and immediately destroy it.


Specify in the cover letter where the consent/advisement language can be found (i.e., The consent form is located in Attachment 2. or The advisement information is contained in the letter to respondents located in Attachment 4. or The advisement information is contained in the telephone transcript located in Attachment 3.)


A consent form is not necessary for organization-level respondents, as CDC does not collect any PII on any individual participants. Participating organizations are expressly prohibited from providing any participant-level PII. All participant data are de-identified at the participating organization-level before such data even reach CDC.



2

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleDoes the data collection involve collecting sensitive and/or personally identifiable information
Authornsg
File Modified0000-00-00
File Created2025-05-19

© 2025 OMB.report | Privacy Policy